how to control access for pods/exec only in kubernetes rbac without pods create binded?

About

Asked 24/11, 2017 at 7:33 Answered 25/3, 2022 at 7:2

I checked the kubernetes docs, find that pods/exec resources has no verb, and do not know how to only control access for it? Since I create a pod, someone else need to access it use 'exec' but cannot create anything in my cluster.

How to implement this?

Cana answered 24/11, 2017 at 7:33 Comment(0)

Since pods/exec is a subresource of pods, If you want to exec a pod, you first need to get the pod, so here is my role definition.

kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods", "pods/log"]
  verbs: ["get", "list"]
- apiGroups: [""]
  resources: ["pods/exec"]
  verbs: ["create"]

Cana answered 27/11, 2017 at 2:29 Comment(3)

i know a bit late .. but is therre a way to inherit all sub ressources? – Occasionalism 11/10, 2019 at 10:57

You mean all namespaces? Replace Role with ClusterRole. – Coltish 5/11, 2019 at 13:50

I have been trying to find this pods and pods/exec in the documentation but I couldn't. Could you please state the link of that in the docs? – Scudder 13/10, 2022 at 22:39

Maybe you can try this kubectl plugin: https://github.com/zhangweiqaz/go_pod

kubectl go -h
kubectl exec in pod with username. For example:
kubectl go pod_name

Usage:
  go [flags]

Flags:
  -c, --containerName string   containerName
  -h, --help                   help for go
  -n, --namespace string       namespace
  -u, --username string        username, this user must exist in image, default: dev

Notify answered 25/3, 2022 at 7:2 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags