I want to add role from namespace kube-system in my MyRoleBinding.yaml file like that:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: myrolebinding
namespace: default
subjects:
- kind: ServiceAccount
name: myservice
namespace: default
apiGroup: ""
roleRef:
kind: Role
name: system:controller:token-cleaner
namespace: kube-system
apiGroup: "" But when I run kubectl apply -f MyRoleBinding.yaml I get:
error: error validating "MyRoleBinding.yaml": error validating data: ValidationError(RoleBinding.roleRef): unknown field "namespace" in io.k8s.api.rbac.v1.RoleRef; if you choose to ignore these errors, turn validation off with --validate=false
I am running in the default namespace, is it because of this ?
I tried to run:kubectl apply -f MyRoleBinding.yaml --namespace=kube-system but I am getting the same error.
I also tried to add an existing role in the defaul namespace by using:
roleRef:
kind: Role
name: read-pods
namespace: default
apiGroup: "" and I got the same error.
RoleRef doesn't support namespace clause, excerpt from source code:
// RoleRef contains information that points to the role being used
type RoleRef struct {
// APIGroup is the group for the resource being referenced
APIGroup string `json:"apiGroup" protobuf:"bytes,1,opt,name=apiGroup"`
// Kind is the type of resource being referenced
Kind string `json:"kind" protobuf:"bytes,2,opt,name=kind"`
// Name is the name of resource being referenced
Name string `json:"name" protobuf:"bytes,3,opt,name=name"`
}
The roleRef field doesn't support namespace. You can use roleRef either with ClusterRoles which are not namespaced or with Roles which always has to be in the same namespace as the RoleBinding. See also the reference.