I want to use the ClusterRole edit for some users of my Kubernetes cluster (https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles).
However, it is unfortunate that the user can be accessing and modifying Resource Quotas and Limit Ranges.
My question is now: How can I grant Users via a RoleBinding access to a namespace, such that the Role is essentially the CluserRole edit, but without having any access to Resource Quotas and Limit Ranges?
The edit role gives only read access to resourcequotas and limitranges:
- apiGroups:
- ""
resources:
- bindings
- events
- limitranges
- namespaces/status
- pods/log
- pods/status
- replicationcontrollers/status
- resourcequotas
- resourcequotas/status
verbs:
- get
- list
- watch
If you want a role that doesn't include read access to these resources, just make a copy of the edit role with those resources excluded.