2

I'm going over RBAC in Kubernetes. It appears to me that

  • a ServiceAccount can be bound to a Role within a namespace (or)
  • a ServiceAccount can be bound to a ClusterRole and have cluster-wide access (all namespaces?)

Is it possible for a single Service Account (or User) to not have cluster-wide access but only have read-only access in only a subset of namespaces? If so, can someone elaborate on how this can be achieved. Thanks!

Improve this question
1
  • 2
    I think the solution is to define multiple RoleBinding for the one service account for each namespace in which you wish it permitted. Commented Mar 19, 2019 at 3:04

1 Answer 1

Reset to default
7

You need to create a RoleBinding for every namespace in each namespace the ServiceAccount should have access to.

There is an example to give the default ServiceAccount permissions to read pods in the development namespace. 

kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: read-secrets namespace: development # This only grants permissions within the "development" namespace. subjects: - kind: ServiceAccount name: default namespace: kube-system roleRef: kind: Role name: pod-reader apiGroup: rbac.authorization.k8s.io
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.