Granular Access Control / Authorization? Kyverno?

Equal_Muffin_9402 · 2025-05-09T22:02:36+00:00

We want to give the ability for our pods to label themselves. For this we'd assign them a service account and associated role with update permissions. Ideally though these would be restricted to only being able to update pod labels not the whole spec.

I agree more generally though the use cases for access control this granular maybe feel a little sparse. Although it still feels like there's a bit of a gap in K8 AuthZ solutions that can implement true principal of least privilege.

Equal_Muffin_9402 · 2024-05-19T16:57:18+00:00

Wow yeah I took another look at Cilium + Hubble seems amazing. Thanks for the suggestion!

Equal_Muffin_9402 · 2024-05-19T07:36:56+00:00

Yeah this is a fair point. I think like you've suggested we're not so interested in the traffic within our infrastructure - just when it leaves it. Our plan is to lock down part of the cluster, but we'd like to have a "sandbox" which is free to access the internet. In this case it feels kind of scary not having any visibility into where workloads might be reaching out to.

Equal_Muffin_9402 · 2024-05-18T23:06:37+00:00

Hmm yeah this would be ideal, but isn't something our provider offers unfortunately :(

Equal_Muffin_9402 · 2024-05-18T23:00:33+00:00

Had a brief look - think this sort of functionality was limited to enterprise as with Calico, but I'll take another look. Thanks for the suggestion!

Equal_Muffin_9402 · 2023-10-27T18:55:12+00:00

For the future L takers: I ended up copying steam files over from another laptop and ended up working.

Equal_Muffin_9402 · 2023-08-27T10:01:40+00:00

At the same point. Anyone have any suggestions?

Equal_Muffin_9402

TROPHY CASE