Access problem need help

[zeusro]

Currently I am studying custom resource . The basic RBAC is not enough,I couldn't implement feature such like “ Every User only sees the resource the User has access to.”

For example, user can only list the resource which they created.

But I notice that this problem have been solved in this project :

A Space is a non-persistent, virtual resource that represents exactly one Kubernetes namespace. Spaces have the following characteristics:
Every User only sees the Spaces the User has access to. 

So I ask you for help. How to implement ？ Thank you for your help.

[zeusro]

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: user-project-role-for-cgnmb28sdgdpdgxhyi1sb2nhba
rules:
  - apiGroups:
      - apps.abcd.cn
    resources:
      - projects
    verbs:
      - list

this ClusterRole wll let the user list all the resource which is not what I want .

[FabianKramm]

@zeusro Hello! Kiosk is not a solution to filter any arbitrary cluster scoped resource, rather kiosk divides users by the namespaces they have access to and introduces a new resource "spaces" that represents all namespaces a user is allowed to see. To give a user access to a namespace, you just need to create a new RoleBinding that gives him the right the view the namespace:

apiVersion: rbac.authorization.k8s.io/v1
# This role binding allows "jane" to read pods in the "default" namespace.
kind: RoleBinding
metadata:
  name: rbac-role-binding-role-binding
subjects:
  # You can specify more than one "subject"
  - kind: User
    name: jane  # "name" is case sensitive
    apiGroup: rbac.authorization.k8s.io
roleRef:
  # "roleRef" specifies the binding to a Role / ClusterRole
  kind: Role  # this must be Role or ClusterRole
  # this must match the name of the Role or ClusterRole you wish to bind to
  name: rbac-role-binding-role
  apiGroup: rbac.authorization.k8s.io

I hope this explains a little what the purpose of kiosk is.