问题
I checked the kubernetes docs, find that pods/exec resources has no verb, and do not know how to only control access for it? Since I create a pod, someone else need to access it use 'exec' but cannot create anything in my cluster.
How to implement this?
回答1:
found the solution myself.
Since pods/exec is a subresource of pods, If you want to exec a pod, you first need to get the pod, so here is my role definition.
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods", "pods/log"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
来源:https://stackoverflow.com/questions/47468369/how-to-control-access-for-pods-exec-only-in-kubernetes-rbac-without-pods-create