#kubernetes - March 2025

Hi guys! I have a little challenge on making RBAC in Kubernetes. I have a request to give in a cluster role permission to everything in the cluster with read only except for the secrets. I tried something like:
default_rule1 = {
`api_groups = ["*"]
resources = ["*"]
verbs = ["get", "list", "watch"]
}
default_rule2 = {
api_groups = [""]
resources = ["secrets"]
verbs = [""]
}`

But this doesn't work unfortunately only if i make an explicit list of all the resources and give those 3 verbs on it, but this would be a real pain. I know that there is no explicit deny and also once i gave the permission to the secrets in default rule 1 it can not be overwritten in default rule 2. Do you have any ideas of any workarounds? I tried to search over the internet but nothing is really helpful and i am trying to avoid a lot of code and the addition of another external tool for rbac. Thank you!

Hi guys! I'm looking for setting up ALB with nginx-ingress in EKS. Need your inputs. So I want to deploy something like this
• ALB+ nginx_ingress+ certmanager + external dns+let's encrypt - Is it possible to do this? I'm able to setup ClassicLB+nginx+certmanager+external_dns+letsencrypt but I want to get rid of classic_lb.
• I've come across that you can setup ALB+nginx+ACM here letsencrypt with certmanager is not possible. so something like pre-generating certs and importing to ACM should work?
I hope my understanding is correct, please feel free to correct me.