Generate policy with allow instead of deny
orcutt989 opened this issue · comments
Is there a way to generate a policy with something like --allowed-objects? I'd like to create a role with just 1 resource instead of putting a list of things to deny? For example it seems like if I only want a policy with 1 allowed resource, I would have to feed in a list of every other resource to deny.
Ex -
rbac-tool gen --allowed-resources=pods. --allowed-verbs=get,list
rbac-tool gen --allowed-resources=pods.,services --allowed-verbs=get,list
instead of...
rbac-tool gen --deny-resources=secrets.,services.,serviceaccount.,pvc.,pv.,...(on and on) --allowed-verbs=get,list
@orcutt989 - it would be easier to create such RBAC policy directly - rather than using this tool - simply because k8s rbac is additive.