50

I have couple of namespaces - assume NS1 and NS2. I have serviceaccounts created in those - sa1 in NS1 and sa2 in NS2. I have created roles and rolebindings for sa1 to do stuff within NS1 and sa2 within NS2. What I want is give sa1 certain access within NS2 (say only Pod Reader role).

I am wondering if that's possible or not?

Improve this question

1 Answer 1

Reset to default
84

You can simply reference a ServiceAccount from another namespace in the RoleBinding:

apiVersion: rbac.authorization.k8s.io/v1beta1 kind: Role metadata: name: pod-reader namespace: ns2 rules: - apiGroups: [""] resources: ["pods"] verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: pod-reader-from-ns1 namespace: ns2 roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: pod-reader subjects: - kind: ServiceAccount name: ns1-service-account namespace: ns1
Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

can we apply same concept to make communication between Service [NodePort in ns1] and Ingress [Aws-alb-ingress-controller in ns2] i.e; across 2 different namespace?
@AshishKumar here you can use a service of type ExternalName.
@LLlAMnYP can service of type ExternalName distribute the traffic among multiple pods under same label specified.
@Ashish a service of type external name is nothing more, than a CNAME record in the cluster dns. The balancing is then done by the service it is pointing to.
There is also a very good and clear article about the topic: octopus.com/blog/k8s-rbac-roles-and-bindings This finally helped me to understand the relationship between service accounts, roles, role bindings, cluster roles and cluster role bindings.
|

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.