I need solve an issue about pod access inside a given project.
One given user, just need to do oc exec in a specific pod, inside a specific project.
The user has the lowest rbac profile inside the cluster.
Was assigned the admin role to user. This do with user just access the project, but don't limit the access to a only pod.
I created a role like this
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: role-teste-access-pod
namespace: <project>
rules:
- apiGroups:
- ''
resources:
- pods
verbs:
- create
Then I did:
oc apply -f role-teste-access-pod.yaml
#role.rbac.authorization.k8s.io/role-teste-access-pod created
oc adm policy add-role-to-user role-teste-access-pod caueteste -n <project>
#clusterrole.rbac.authorization.k8s.io/role-teste-access-pod added: "caueteste"
So, I log me with user, access the project, execute oc exec, but the message is shown.
# oc exec -n <project> -it <pod> -c <container> -- bash
Error from server (Forbidden): pods "<pod>" is forbidden: User "caueteste" cannot create resource "pods/exec" in API group "" in the namespace "<project>": RBAC: clusterrole.rbac.authorization.k8s.io "role-teste-access-pod" not found
[caueteste@localhost]$
Can someone help me?
I solved it by creating a function and then a function binding as follows below
Regards