I want to implement RBAC for each user. Already have OIDC running and I can see my user credentials being saved in kube config. But to check my rolebindings, i have to run the command as kubectl get pods --as=user@email.com
, even though I am logged in as user@email.com (through gcloud init). I am an owner account in our cloud but I was assuming the RBAC limitations should still work.
I am an owner account in our cloud but I was assuming the RBAC limitations should still work.
RBAC is additive only. If you have permissions via another configured authorizer, you will still have those permissions even if you have lesser permissions via RBAC.
Apart from credentials, you should configure a kubectl context to associate this credentials with the cluster. And to set it as the default context:
First, list kubectl clusters with k config get-clusters
Then create a new context:
kubectl config set-context my-new-context --cluster <CLUSTER NAME> --user="user@email.com"
And finally configure the new context as default:
kubectl config use-context my-new-context