I'm looking for a way to allow a user named Foo to edit the image of a specific deployment without giving them permission to modify anything else. I understand that RBAC (Role-Based Access Control) won't address this situation. What solutions or approaches can I use to implement this? I'm comfortable writing some Go code if needed.
5 Answers
You could use RBAC to limit access per namespace or set up an admission controller like Kyverno. I've heard good things about it, but I haven't used admission controllers myself.
Just a thought, but why allow users to modify images directly on clusters at all? That approach seems risky.
Consider using Custom Resource Definitions (CRDs) to define the permissions you want more precisely.
Honestly, it sounds more like a people management issue than a technical one. If you can't trust that person or team to handle these permissions, maybe you should rethink their access altogether. As a workaround, implementing a CI pipeline that only allows image updates could do the trick.
You might want to check out Kyverno or Open Policy Agent. These tools can help you manage permissions in a more granular way. They could be what you're looking for!
Absolutely! Also, Validating Admission Policies could be another option. It's built into Kubernetes, so it might save you some integration hassle.