I want to create kubernetes service account and roles/rbac which will grant permission to patch/update annotations of deployment. service account should not able to perform any other update on kubernetes deployment. It should have upgrade and patch permission on metadata section only.
Kubernetes service account with upgrade/patch permission to annotation of deployment
1.8k Views Asked by Akshay Gopani At
1
There are 1 best solutions below
Related Questions in KUBERNETES
- Golang == Error: OCI runtime create failed: unable to start container process: exec: "./bin": stat ./bin: no such file or directory: unknown
- I can't create a pod in minikube on windows
- Oracle setting up on k8s cluster using helm charts enterprise edition
- Retrieve the Dockerfile configuration from the Kubernetes and also change container Java parameter?
- Summarize pods not running, by Namespace and Reason - I'm having trouble finding the reason
- How to get Java running parameters from Spring Boot running inside container in pod where no ps exist
- How do we configure prometheus server to scrape metrics from a pod with Istio sidecar proxy?
- In rke kube-proxy pod is not present
- problem with edge server registration in Eureka
- Unable to Access Kubernetes LoadBalancer Service from Local Device Outside Cluster
- Kubernetes cluster on GCE connection refused error
- Based on my experience, I've outlined the Kubernetes request flow. Could someone please add or highlight any points I might have overlooked?
- how to define StackGres helm chart "restapi" values to use internal LoadBalancer - AWS EKS
- Python3.11 can't open file [Errno 2] No such file or directory
- Cannot find remote pod service - SERVICE_UNAVAILABLE
Related Questions in KUBERNETES-DEPLOYMENT
- Multi attach error in AWS EKS deployment (rolling update)
- PVC in deployment and stateful set
- Deploy elasticsearch with url and open port
- How to pass configMap file to command parameter of deployment?
- Azure ML: DeploymentIdentityError: Failed to create Kubernetes deployment identity, Reason:RefreshExtensionIdentityNotSet
- Deploying Kubernetes Application on a Cluster Created with ARM Template and Custom Script Extension
- Canarydeployment of AKS based applications using istio
- set configmap sql file
- Spreading 3 pods across 3 nodes and deploying without downtime
- Java Parameters on Kubernetes Deployment
- Any python client method available to get/set env variables of kubernetes deployment
- What is the practice to share PVC for Helm chart application
- Migrating from PSP to PSA
- Deployment failed: HTTP probe failed with statuscode: 500
- Kubernetes SAT token as environment variable
Related Questions in KUBERNETES-SECURITY
- Mongodb statefulset Kubernetes unable to mounting keyfile with specifique owner
- Validating Webhook behaviour
- Migrating from PSP to PSA
- trace and log commands executed in a k8s pod
- Hashicorp vault: Multiple Applications and Multiple service accounts - prevent another app from using different svc account
- AuthorizationPolicy configuration issue: JWT authentication not working within specified namespace
- Unable to authenticate kubernetes cluster with the certificate-authority
- pods is forbidden: User tote-admin cannot list resource pods in API group at the cluster scope
- How to Manage UTM's Allow/Deny List for Kubernetes Outgoing Requests
- Kubernetes Argo workflows are failing with psp-readonlyrootfilesystem error
- how to disable user impersonation in kubernetes?
- Why are there so many certificates in a Kubernetes cluster?
- Why I cannot access host files from inside kubernetes pod? "permission denied" error
- istio allowed incoming request from namespace which is not in allowed in authorization policy
- system:node fails to get secrets from apiserver via curl
Related Questions in KUBERNETES-RBAC
- Access kubernetes 'namespaces' object from the kubelet
- Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden
- clusterrolebindings.rbac.authorization.k8s.io is forbidden: User "system:anonymous" cannot create resource "clusterrolebindings"
- Kube API extension server client-cert-based authorization does not work with kubeconfig file client-certificate-data
- Kubernetes RBAC rule to limit listing to certain CustomResourceDefinitions
- Setup a user with everyting allowed except access to the kube-system namespace and deploying privileged pods
- Service Account in K8s have access to other namespaces that are not part of its role
- Changing Role permissions for an active (in-use) ServiceAccount in Kubernetes
- Kubernetes using multiple api group in same rule. YAML
- Creating an AKS cluster with Kubernetes RBAC and AD Integration using a Service Principal. How can it also assign itself cluster admin?
- Issue in importing AKS cluster on Paralus
- Add RBAC to Azure Kubernetes ( AKS ) after the cluster has already been created
- How to allow only one user to be able to access only one pod within an openshift project?
- Azure Kubernets Service: Regular user with RBAC enabled cluster has system:masters role
- Annotation has apiVersion v1beta1
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular # Hahtags
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
I will give you an example on how you can create your service account depending your needs, you can take my example and easily modify, it looks something like this:
Hope this helps. You can find more info about roles/rbac in official documentation