how to control access for pods/exec only in kubernetes rbac without pods create binded?
Since pods/exec is a subresource of pods, If you want to exec a pod, you first need to get the pod, so here is my role definition.
kind: RoleapiVersion: rbac.authorization.k8s.io/v1beta1metadata: namespace: default name: pod-readerrules:- apiGroups: [""] resources: ["pods", "pods/log"] verbs: ["get", "list"]- apiGroups: [""] resources: ["pods/exec"] verbs: ["create"]