With security in mind, I do not want to allow the create
verb on Job
and CronJob
resources because it would allow someone to create a pod (using any image) and expose sensitive information. But I also want to allow the ability to trigger jobs that have already been created on the cluster.
Is there a way to allow the triggering of Jobs
and CronJobs
in a Kubernetes cluster without assigning the create
verb in a Role
or ClusterRole
RBAC definition?
If not, is there a way to only allow create
when the Job
or CronJob
already exists on the cluster?
I've simply tried the following RBAC definition and was able to create any pod (dangerous) that I wanted.
apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- get
- create
You can't "trigger" a Job. A Job is either pending (waiting to run), running, or completed. If it's completed, you can't re-run it; you can only delete and re-create it.
The only way to manually run a CronJob is by...using it as a template to create a Job (kubectl create job --from=cronjob ...
).
So in both situations, you need the ability to create
a Job
.
Lastly: