I created a namespace xxx
; the role for this namespace is to get pods, services, etc. I created a service account yyy
and a role binding yyy
to the role in namespace xxx
.
When I try to check something through the API with a secret token, for example
curl -kD - -H "Authorization: Bearer $TOKEN https://localhost:6443/api/v1/namespaces/xxx/pods
I get a "403 forbidden" error.
So I a cluster role binding of my service account yyy
to cluster role view
, and after that of course a user can see pods of my namespace, but can see other pods from other namespaces too.
How can I restrict service account yyy
tee see pods, services, etc. only from a specific namespace?
To allow access only in a specific namespace create a rolebinding, not a clusterrolebinding:
kubectl create rolebinding my-viewer --clusterrole=view --serviceaccount=xxx:yyy -n xxx