Is there a way to create a K8s cluster role with full access (all resources, verbs and apigroups on any namespaces) but no commands execution on all namespaces for example: kubectl delete pods --all-namespaces or kubectl delete pv --all-namespaces?
(Running the same commands on a single namespace should be allowed, just not in bulk to all namespaces).
If this cannot be achieved with a cluster role, is there another way to achieve it?
What if bind clusterrole to only needed namespaces and not give permissions to restricted ones? Thats not full solution, at least user wont be able to delete not needed ones. And strictly answering your question - not sure this is possible.
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: testsa
namespace: default
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: testclusterrole
rules:
- apiGroups: [""]
resources: ["pods","services","namespaces","deployments","jobs"]
verbs: ["get", "watch", "list", "create", "delete", "patch", "update"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: job-master-1
namespace: namespace1
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: testclusterrole
subjects:
- kind: ServiceAccount
name: testsa
namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: job-master-2
namespace: namespace2
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: job-master
subjects:
- kind: ServiceAccount
name: satestsa namespace: default
