Compiled list of ClusterRoles for better/safer RBAC

This page summarizes the projects mentioned and recommended in the original post on reddit.com/r/kubernetes

Our great sponsors
  • SonarQube - Static code analysis for 29 languages.
  • OPS - Build and Run Open Source Unikernels
  • Scout APM - Less time debugging, more time building
  • rbac-tool

    Rapid7 | insightCloudSec | Kubernetes RBAC Power Toys - Visualize, Analyze, Generate & Query

    I've been tasked with defining and documenting some ClusterRoles with clear permissions that should (mostly) be enough for any kind of cluster. The idea is for admins (who don't necessarily do the devops behind) to be able to understand what each CR does, to assign these CRs to users on the fly, to update a user's access as their needs change, to view a list of policy rules, who can do what etc... For this maintenance and tracking part we use rbac-manager and rbac-tool, which are excellent tools imo.

  • lens

    Lens - The way the world runs Kubernetes

    apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" labels: kubernetes.io/bootstrapping: rbac-defaults name: cluster-admin rules: - apiGroups: - '*' resources: - '*' verbs: - '*' - nonResourceURLs: - '*' verbs: - '*' ------- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: restricted-user-access rules: - apiGroups: ["","extensions", "apps"] ## "" represents the core group resources: ["*"] verbs: ["get"] - apiGroups: ["" ] resources: ["pods"] verbs: ["get", "list", "delete"] ------- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: secret-reader rules: - apiGroups: [""] resources: - secrets verbs: - get - watch - list ------- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: read-services-external-dns-ingress rules: - apiGroups: [""] resources: ["services"] verbs: ["get","watch","list"] - apiGroups: ["extensions"] resources: ["ingresses"] verbs: ["get","watch","list"] ------- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: portforward-access rules: - apiGroups: [""] resources: ["pods/portforward"] verbs: ["*"] ------- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: super-dev rules: - apiGroups: - "*" resources: - "configmaps" - "endpoints" - "persistentvolumeclaims" - "pods" - "pods/log" - "pods/portforward" - "podtemplates" - "replicationcontrollers" - "resourcequotas" - "secrets" - "services" - "events" - "daemonsets" - "deployments" - "replicasets" - "ingresses" - "networkpolicies" - "poddisruptionbudgets" verbs: - "*" ------- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: read-user-access rules: - apiGroups: ["", "extensions", "apps"] resources: ["*"] verbs: ["get","watch","list"] - apiGroups: ["batch"] resources: - jobs - cronjobs verbs: ["*"] ------- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: full-user-access rules: - apiGroups: ["", "extensions", "apps"] resources: ["*"] verbs: ["*"] - apiGroups: ["batch"] resources: - jobs - cronjobs verbs: ["*"] ------- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: non-resource-read-access rules: - nonResourceURLs: - '*' verbs: ["get","watch","list"] ------- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: non-resource-all-access rules: - nonResourceURLs: - '*' verbs: - '*' ------- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: non-namespaced-cluster-resources-read rules: #Copied from https://github.com/lensapp/lens/pull/644/files#diff-e8fd9c95df786da51f13c3a7442a1d88b3ac4294b786bc268ac92a4072bf50e7R5-R198 - nonResourceURLs: - /metrics verbs: - get - list - watch - apiGroups: - "" resources: - bindings - componentstatuses - configmaps - endpoints - events - limitranges - namespaces - namespaces/finalize - namespaces/status - nodes - nodes/proxy - nodes/status - persistentvolumeclaims - persistentvolumeclaims/status - persistentvolumes - persistentvolumes/status - pods - pods/attach - pods/binding - pods/eviction - pods/exec - pods/log - pods/proxy - pods/status - podtemplates - replicationcontrollers - replicationcontrollers/scale - replicationcontrollers/status - resourcequotas - resourcequotas/status - serviceaccounts - services - services/proxy - services/status verbs: - get - list - watch - apiGroups: - apps resources: - controllerrevisions - daemonsets - daemonsets/status - deployments - deployments/scale - deployments/status - replicasets - replicasets/scale - replicasets/status - statefulsets - statefulsets/scale - statefulsets/status verbs: - list - get - watch - apiGroups: - batch resources: - jobs - jobs/status verbs: - get - list - watch - apiGroups: - autoscaling resources: - horizontalpodautoscalers - horizontalpodautoscalers/status verbs: - get - list - watch - apiGroups: - storage.k8s.io resources: - csidrivers - csinodes - storageclasses - volumeattachments - volumeattachments/status verbs: - get - list - watch - apiGroups: - networking.k8s.io resources: - networkpolicies verbs: - get - list - watch - apiGroups: - scheduling.k8s.io resources: - priorityclasses verbs: - get - list - watch - apiGroups: - node.k8s.io resources: - runtimeclasses verbs: - get - list - watch - apiGroups: - extensions resources: - ingresses - ingresses/status verbs: - get - list - watch - apiGroups: - events.k8s.io resources: - events verbs: - get - list - watch - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions - customresourcedefinitions/status verbs: - get - list - watch - apiGroups: - apiregistration.k8s.io resources: - apiservices - apiservices/status verbs: - get - list - watch - apiGroups: - discovery.k8s.io resources: - endpointslices verbs: - get - list - watch - apiGroups: - metrics.k8s.io resources: - pods - nodes verbs: - get - list - watch - apiGroups: - policy resources: - poddisruptionbudgets - poddisruptionbudgets/status - podsecuritypolicies verbs: - get - list - watch - apiGroups: - rbac.authorization.k8s.io resources: - clusterrolebindings - clusterroles - rolebindings - roles verbs: - get - list - watch # END - apiGroups: - "*" resources: - "componentstatuses" - "namespaces" - "nodes" - "persistentvolumes" - "mutatingwebhookconfigurations" - "validatingwebhookconfigurations" - "customresourcedefinitions" - "apiservices" - "tokenreviews" - "selfsubjectaccessreviews" - "selfsubjectrulesreviews" - "subjectaccessreviews" - "certificatesigningrequests" - "runtimeclasses" - "podsecuritypolicies" - "clusterrolebindings" - "clusterroles" - "priorityclasses" - "csidrivers" - "csinodes" - "storageclasses" - "volumeattachment" verbs: ["get", "list", "watch"] ## change this to * if you want admin rights on cluster resources

  • SonarQube

    Static code analysis for 29 languages.. Your projects are multi-language. So is SonarQube analysis. Find Bugs, Vulnerabilities, Security Hotspots, and Code Smells so you can release quality code every time. Get started analyzing your projects today for free.

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts