Is there a way to generate a policy with something like --allowed-objects? I'd like to create a role with just 1 resource instead of putting a list of things to deny? For example it seems like if I only want a policy with 1 allowed resource, I would have to feed in a list of every other resource to deny.

Ex -

rbac-tool  gen  --allowed-resources=pods. --allowed-verbs=get,list

rbac-tool  gen  --allowed-resources=pods.,services --allowed-verbs=get,list

instead of...

rbac-tool  gen  --deny-resources=secrets.,services.,serviceaccount.,pvc.,pv.,...(on and on) --allowed-verbs=get,list

@orcutt989 - it would be easier to create such RBAC policy directly - rather than using this tool - simply because k8s rbac is additive.