I created a namespace xxx; the role for this namespace is to get pods, services, etc. I created a service account yyy and a role binding yyy to the role in namespace xxx.
When I try to check something through the API with a secret token, for example
curl -kD - -H "Authorization: Bearer $TOKEN https://localhost:6443/api/v1/namespaces/xxx/podsI get a "403 forbidden" error.
So I a cluster role binding of my service account yyy to cluster role view, and after that of course a user can see pods of my namespace, but can see other pods from other namespaces too.
How can I restrict service account yyy tee see pods, services, etc. only from a specific namespace?
To allow access only in a specific namespace create a rolebinding, not a clusterrolebinding:
kubectl create rolebinding my-viewer --clusterrole=view --serviceaccount=xxx:yyy -n xxx