没有秘密读取权限的 Kubernetes RBAC cluster-admin

Kubernetes RBAC cluster-admin without secret reading permission

是否可以创建 Kubernetes 集群管理员而不能读取名称空间机密?

我知道您可以创建一个 ClusterRole 并列出每个资源并省略 secret,但这似乎不直观。

您可以使用 Aggregated ClusterRoles 删除权限吗?所以使用 ClusterRole cluster-admin 并有一个角色使用:

rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: [""]

不是真的Aggregated Cluster Roles is a set union of several ClusterRoles. To get the behavior you want you would need a set subtraction of cluster-admin role minus the rules that you have defined. It's not supported in K8s as of this writing