0

I want to know if I can limit access to developers, we want to only allow developers to list pods and check logs, no ssh into pods, is that feasible ? This is what I tried, but it seems to not work ..

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: developer-role
rules:
  - apiGroups: [""]
    resources: ["pods", "pods/log"]
    verbs: ["get", "list"]
  - apiGroups: [""]
    resources: ["pods/exec"]
    verbs: [""]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: developer-role
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: developer-role
subjects:
  - kind: Group
    name: developer_customized
Improve this question

1 Answer 1

Reset to default
0

An empty set of verbs for the resource pods/exec does not grant any access, but also does not deny it. It would depend on other configurations.

To effectively deny access, you should remove the lines for pods/exec

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: developer-role
rules:
  - apiGroups: [""]
    resources: ["pods", "pods/log"]
    verbs: ["get", "list"]
Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .