How can I restrict a resource's access? Say I have a user/service account that s . . .

Adharsh:
How can I restrict a resource’s access? Say I have a user/service account that shouldn’t access secrets/config maps, how can I achieve this? As far as I understand, RBAC is only additive and hence may not be possible…

Fernando Jordan Silva:
RBAC is negative by default. It means that if you create a role / rolebinding allowing to access to a resource, you only will be able to access to that resource and not others.
If you to restrict the access to secrets, you should create a role allowing to access to all resources but removing the entry for secrets

Adharsh:
Interesting! If I were to create a role that allows access to all resources, except secrets, isn’t that a bad security practice as this role is almost equivalent to the cluster-admin role?

Fernando Jordan Silva:
No, because it’s restricted to a namespace. You are using a role (namespaced) not a clusterrole (not namespaced). So there are not many resources to add :wink: