kubernetesrbackubernetes-cronjobkubernetes-jobs

Kubernetes RBAC for triggering `Jobs` and `CronJobs` without the `create` verb


With security in mind, I do not want to allow the create verb on Job and CronJob resources because it would allow someone to create a pod (using any image) and expose sensitive information. But I also want to allow the ability to trigger jobs that have already been created on the cluster.

Is there a way to allow the triggering of Jobs and CronJobs in a Kubernetes cluster without assigning the create verb in a Role or ClusterRole RBAC definition?

If not, is there a way to only allow create when the Job or CronJob already exists on the cluster?

I've simply tried the following RBAC definition and was able to create any pod (dangerous) that I wanted.

apiGroups:
  - batch
resources:
  - cronjobs
  - jobs
verbs:
  - get
  - create

Solution

    1. You can't "trigger" a Job. A Job is either pending (waiting to run), running, or completed. If it's completed, you can't re-run it; you can only delete and re-create it.

    2. The only way to manually run a CronJob is by...using it as a template to create a Job (kubectl create job --from=cronjob ...).

    So in both situations, you need the ability to create a Job.

    Lastly:

    1. You can't "allow create when the Job or CronJob already exists", because in that case the resource has already been created. There's nothing to create.