Is there a way to give read & write access of secrets only to ADMIN user in openshift?

Question

I want to restrict the read & write access of secrets only to the users with ADMIN roles in openshift. If a user is a normal user, he can access everything except the secrets(he can't reveal the secrets and edit also). Is there any way to do that? Thank You!

Answer 1

You could try to create your own roles to apply to everyone who is not an admin or just edit the non-admin roles removing access to secrets.

Here the guide to make your own role.

For example your role can already be like:

rules:
- apiGroups:
  - ""
  attributeRestrictions: null
  resources:
  - configmaps
  - endpoints
  - persistentvolumeclaims
  - pods
  - secrets
  - serviceaccounts
  - services
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - update
  - watch

and you could remove the secrets line under resources:

rules:
- apiGroups:
  - ""
  attributeRestrictions: null
  resources:
  - configmaps
  - endpoints
  - persistentvolumeclaims
  - pods
  - serviceaccounts
  - services
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - update
  - watch

For example:

$ oc create user test
user.user.openshift.io/test created

$ oc create role test-role --verb=get --verb=list --resource=namespaces,pods,routes,services
role.rbac.authorization.k8s.io/test-role created

$ oc login -u test -p #####
Login successful.

You have one project on this server: "######"

Using project "####".

$ oc get pods
No resources found.

$ oc get secrets
No resources found.
Error from server (Forbidden): secrets is forbidden: User "test" cannot list secrets in the namespace "####": no RBAC policy matched