i would like to create a new cluster-role that is basically the same as the cluster-admin but without the ability for users to:
1) create, modify or delete PVs
2) create, modify or delete namespaces.
3) prevent view, create, modify, delete of new rbac permissions.
How do i do this?
i was trying to take inspiration fro the cluster-admin role, but everything was specified as with *.
There are unfortunately no "negative" permissions, so that you could start from all permissions (with *) and then take away specific permissions. If you don't want all items of a set (which you could specify with *), you have to enumerate all of those items that you want.
You can find a complete list of resources and their API groups with:
kubectl api-resources
In your case, PVs and namespaces are in the core API group and RBAC resources are in the rbac.authorization.k8s.io API group. So, it's only in these two API groups that you would need to enumerate all resources that you want to grant permissions for. Regarding all the other API groups, you can just list them in a single RBAC rule and set resources and verbs to *.
Your ClusterRole definition might look something like this (however, the precise set of API groups and resources might be different in your cluster):
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: my-cluster-admin
rules:
# Read permissions for PVs and namespaces in the core API group
- apiGroups: [""]
resources: [persistentvolumes, namespaces]
verbs: [get, list]
# Full permissions for all other resources in the core API group
- apiGroups: [""]
resources: [bindings, componentstatuses, configmaps, endpoints, events, limitranges, nodes, persistentvolumeclaims, pods, podtemplates, replicationcontrollers, resourcequotas, secrets, serviceaccounts, services]
verbs: ['*']
# Full permissions for all API groups except "core" and "*.authorization.k8s.io"
- apiGroups: [admissionregistration.k8s.io, apiextensions.k8s.io, apiregistration.k8s.io, apps, authentication.k8s.io, autoscaling, batch, certificates.k8s.io, coordination.k8s.io, crd.k8s.amazonaws.com, events.k8s.io, extensions, monitoring.coreos.com, networking.k8s.io, policy, scheduling.k8s.io, storage.k8s.io]
resources: ['*']
verbs: ['*']
# Full permissions for all non-resource URLs
- nonResourceURLs: ['*']
verbs: ['*']
You can generate the list of API groups and resources by doing some text manipulation on the output of kubectl api-resources.
The definition has four rules which should achieve what you want: