Tags: security
The following Kublr role enables various cluster operations (update/delete etc) withholding access to the cluster admin kubeconfig file.
kind: GlobalRole metadata: name: LimitedAdmin rules: - resources: - space - event - cluster - cluster/id - cluster/applications - cluster/metrics - cluster/config - cluster/proxy - cluster/dashboard - cluster/terminal verbs: - '*' - nonResourceURLs: - '*' verbs: - '*'
Note that this role does not allow access to cloud credentials/secrets, which in turn means that the user will not be able to create new clusters. If this is desired, add secrets access rule to the role:
kind: GlobalRole metadata: name: LimitedAdmin rules: - resources: - space - event - cluster - cluster/id - cluster/applications - cluster/metrics - cluster/config - cluster/proxy - cluster/dashboard - cluster/terminal verbs: - '*' - resources: - secret - secret/test - secret/cloudmetadata verbs: - '*' - nonResourceURLs: - '*' verbs: - '*'