RBAC role to manage single pod with dynamic name

Question

I need to grant access to one deployment and all pods of this deployment using RBAC. I've managed to configure Role and RoleBinding for the deploymet, and it's working fine:

---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  namespace: <my-namespace>
  name: <deployment>-manager-role
rules:
  - apiGroups: ["", "extensions", "apps"]
    resources: ["deployments"]
    resourceNames: ["<deployment>"]
    verbs: ["get", "list", "watch", "update", "patch"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: <deployment>-manager-binding
  namespace: <my-namespace>
subjects:
  - kind: User
    name: <username>
    apiGroup: ""
roleRef:
  kind: Role
  name: <deployment>-manager-role
  apiGroup: ""

Using this role user can access, update and patch the deployment. This deployment creates pods with dynamic names (like <deployment>-5594cbfcf4-v4xx8). I tried to allow this user to access these pods (get, list, watch, read logs, exec, delete) using deployment name and using deployment name + wildcard char *:

---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  namespace: <my-namespace>
  name: <deployment>-pods-manager-role
rules:
  - apiGroups: ["", "extensions", "apps"]
    resources: ["pods"]
    resourceNames: ["<deployment>*"]
    verbs: ["get", "list", "watch", "update", "patch", "exec", "delete"]

I also updated the role binding. But when I try to get the pod:

kubectl --context=<username>-ctx -n <namespace> get pods <deployment>-5594cbfcf4-v4xx8

I'm getting error:

Error from server (Forbidden): pods "<deployment>-5594cbfcf4-v4xx8" is forbidden: User "<username>" cannot get resource "pods" in API group "" in the namespace "<namespace>"

If I add <deployment>-5594cbfcf4-v4xx8 to the list of resourceNames, user can access this pod.

Is it possible to grant access to the specific pods based on deployment name?

Permissions is usually set by namespace, use that model instead - it will be easier. — Jonas, Dec 24 '19 at 08:31

score 21 · Accepted Answer · answered Dec 24 '19 at 15:59

In Kubernetes, pods are considered as an ephemeral "cattle", they come and go. You shouldn't try to manage RBAC per pod.

In your use case, there is unfortunately no way to grant a role over a set of pods matching a certain name, because the resourceNames field doesn't support patterns like prefixes/suffixes. Don't get confused: a single asterisk character ('*') has a special meaning that means "all", but it's not a pattern. So, 'my-app-* in resourceNames will not work. There were tickets opened for this feature, but it wasn't implemented:
https://github.com/kubernetes/kubernetes/issues/56582

There was also a request to be able to manage RBAC over labels, but that feature isn't implemented neither:
https://github.com/kubernetes/kubernetes/issues/44703

Therefore, you probably need to change your model to grant roles to users to manage all pods in a certain namespace. Your deployment should be the only "source of pods" in that namespace. That way, you will not need to specify any resource names.

Personally feel like this is a major weakness with RBAC, because that kind of fine-graimed permission is often necessary. For instance, I want to be able to give devs `exec` access to their deployment's pods for debugging, but not to others. Argh. I'm a bit frustrated. — Hebe Hilhorst, Nov 12 '20 at 16:55

RBAC role to manage single pod with dynamic name

1 Answers1