Service account - access through API

5/24/2018

I created a namespace xxx; the role for this namespace is to get pods, services, etc. I created a service account yyy and a role binding yyy to the role in namespace xxx.

When I try to check something through the API with a secret token, for example

curl -kD - -H "Authorization: Bearer $TOKEN https://localhost:6443/api/v1/namespaces/xxx/pods

I get a "403 forbidden" error.

So I a cluster role binding of my service account yyy to cluster role view, and after that of course a user can see pods of my namespace, but can see other pods from other namespaces too.

How can I restrict service account yyy tee see pods, services, etc. only from a specific namespace?

-- kris
api
kubernetes
role
token

1 Answer

5/24/2018

To allow access only in a specific namespace create a rolebinding, not a clusterrolebinding:

kubectl create rolebinding my-viewer --clusterrole=view --serviceaccount=xxx:yyy -n xxx

-- Jordan Liggitt
Source: StackOverflow