05/24/2022, 3:45 PM
Question about rancher RBAC. Do the permissions in the rancher web console differ from those that kubectl gives you? Im trying to create a project role that give read access to everything in a project apart from secrets where I want to be able to list them but NOT get (describe) them. I've added secrets in the api group “” with “list” and “watch” and everything else in the group also has “get”. Kubectl correctly blocks the account from getting the secret but I can still list them. However in the rancher UI I can both list and get them. This is the exact same user without making any rbac permissions.


05/24/2022, 5:03 PM
There is no "field-level" rbac in k8s and what you're asking cannot be done. Get lets you make the API call to read a specific resource by name. List gives you back you ALL of them, with their entire body as you'd receive from "get". You don't see that shown in the kubectl table output, but that doesn't mean it's not there. Try adding
-o yaml
. So granting list without get is basically a meaningless distinction. You can still get the info you want, but are forcing the client to ask for extra info they don't want and throw away. Get without list has some value because you now need to know the name of the thing you want to get, but you can also just start going through a dictionary and guessing... Anyway, the UI makes list calls because individual gets would just be fantastically inefficient.