Stack Overflow
Stack Overflow

Questions tagged [kubernetes-rbac]

64 questions
8
votes
2 answers

Proper use of Role.rules.resourceNames for creating pods with limited access to resources

I am trying to create a Pod that is able to create and update a specific configmap using Role.rules.resourceNames. I am able to perform a get request for the resource to the API from within the pod, but I'm not able to create the resource, instead…
littlebenlittle
  • 833
  • 2
  • 9
  • 18
6
votes
3 answers

aws eks and aws sso RBAC authentication problem

I have created a fresh AWS SSO (used internal IDP as identity source, so no use of Active Directory). I am able to login to AWS CLI, AWS GUI, but unable to perform any kubectl ops. error: You must be logged in to the server (Unauthorized) This has…
DmitrySemenov
  • 9,204
  • 15
  • 76
  • 121
6
votes
2 answers

How is the "cluster creator" user of an AWS EKS cluster mapped to the "system:masters" RBAC group?

I'm trying to understand how are managed RBAC authorizations for the first user that create an EKS cluster within AWS. Or in other words : How is the cluster creator mapped to the "system:masters" group within RBAC ? I know this doc states : "When…
Pierre Benefice
  • 131
  • 1
  • 6
5
votes
1 answer

What does the username field in aws-auth configmap do?

I am trying to understand where do these username field is mapped to in the Kubernetes cluster. This is a sample configmap: apiVersion: v1 data: mapRoles: | - rolearn: arn:aws:iam::111122223333:role/eksctl-my-cluster-nodegroup username:…
Kishor Unnikrishnan
  • 1,928
  • 4
  • 21
  • 33
4
votes
2 answers

RBAC (Role Based Access Control) on K3s

after watching a view videos on RBAC (role based access control) on kubernetes (of which this one was the most transparent for me), I've followed the steps, however on k3s, not k8s as all the sources imply. From what I could gather (not working),…
Paul
  • 756
  • 1
  • 8
  • 22
3
votes
2 answers

What does the 'UPDATE' Kubernetes RBAC permission do?

I cannot for the life of me find a detailed table of what all the Kubernetes RBAC verbs do. The only resource I see people recommending is this one, which is woefully inadequate. So I've been working it out by experimentation. Most are fairly…
Hebe Hilhorst
  • 323
  • 3
  • 8
2
votes
0 answers

Changing Role permissions for an active (in-use) ServiceAccount in Kubernetes

Suppose a simple RBAC setup in Kubernetes (assuming default namespace for simplicity): ServiceAccount + Role + RoleBinding The role has allows to get and list verbs for pods and pods/log a Pod using the above ServiceAccount the pod is running curl…
Ilya Ayzenshtok
  • 721
  • 2
  • 7
  • 18
2
votes
2 answers

How to access kubeconfig file inside containers

I have a container where I used a bitnami/kubectl image. Now I want to run a few kubectl commands inside that container. How kubectl container aware of my kubeconfig file? I know that I can mount the local kubeconfig file into containers and use…
anonymous user
  • 257
  • 5
  • 23
2
votes
0 answers

What is the difference in kubernetes between get deployment and get deployment/status

I'm trying to set up RBAC in Kubernetes. In my cluster, there are some default Roles like admin, cluster-admin and edit. Those Roles differentiate between (e.g.) a deployment and deployment/status. When I look at the k8s API reference…
Quido
  • 629
  • 1
  • 7
  • 17
2
votes
1 answer

Kuberentes RBAC rule to allow creating Jobs only from a CronJob

Is it possible to create a kubernetes RBAC rule that allows creating a Job from an existing CronJob, but prevents creating a Job any other way? We want to keep our clusters tightly locked down to avoid arbitrary deployments not managed by CICD - but…
Gavin Clarke
  • 379
  • 3
  • 15
2
votes
1 answer

K8s cluster role exclude permissions

Is there a way to create a K8s cluster role with full access (all resources, verbs and apigroups on any namespaces) but no commands execution on all namespaces for example: kubectl delete pods --all-namespaces or kubectl delete pv…
Gaby
  • 215
  • 1
  • 2
  • 8
2
votes
2 answers

Forbidden after enabling Google Cloud Groups RBAC in GKE

We are enabling Google Cloud Groups RBAC in our existing GKE clusters. For that, we first created all the groups in Workspace, and also the required "gke-security-groups@ourdomain.com" according to documentation. Those groups are created in…
codiaf
  • 569
  • 2
  • 18
  • 47
2
votes
1 answer

User "system:serviceaccount:default:flink" cannot list resource "nodes" in API group "" at the cluster scope

I am trying to call k8s api in one k8s pod. But hit the following permission issue: User "system:serviceaccount:default:flink" cannot list resource "nodes" in API group "" at the cluster scope. In my yaml file, I already have specified the Role &…
zjffdu
  • 25,496
  • 45
  • 109
  • 159
2
votes
0 answers

How to restrict access to specific secrets in POD ( POD Should access only to specific secrets used by the given application)

I want to access specific secret from POD , I dont want POD to have access to other secrets(which are not needed). I have created an service account with no access to secrets ( not even "get"). apiVersion: v1 kind: ServiceAccount metadata: name:…
Slok
  • 576
  • 1
  • 12
  • 27
2
votes
1 answer

How to execute shell script from POD A to another POD B

So like you said I created a another pod which is of kind:job and included the script.sh. In the script.sh file, I run "kubectl exec" to the main pod to run few commands The script gets executed, but I get the error "cannot create resource…
jeril
  • 1,109
  • 2
  • 17
  • 35
1
2 3 4 5