K
Q

Limit the Kubernetes service account access specific namespace

10/3/2018

I created a service account that contains the default cluster role "view" which makes it can access all of our resources with view permission.

But I would like to add a limitation so that this service account can't access one of our namespace.

Any idea how can I achieve this?

Br,

Tim

-- Tim
kubernetes
service-accounts

Similar Questions

Prometheus client for my custom data in Kubernetes environment
which one to chose for mapping an external url ?
Kubernetes Ingress get Unhealthy backend services on Google Kubernetes Engine
Getting bad minute error from crontab despite seemingly accurate syntax
Set yaml.schema "kubernetes" for autocompletion with nvim-lspconfig

2 Answers

10/3/2018

Kubernetes has only two permission scopes: Cluster(ClusterRole) or Namespace(Role) and no way to limit or exclude a ClusterRole to specific namespaces. If you want to restrict your ServiceAccount to specific namespaces you cannot use a ClusterRole but must use a Role in every namespace the ServiceAccount should have access in.

-- Lukas Eichler
Source: StackOverflow
10/3/2018

In addition to the other answer, when you use a Role, you need to specify the namespace on your RoleBinding. For example:

$ kubectl create rolebinding my-binding --role=myrole --user=myuser --namespace=mynamespace
-- Rico
Source: StackOverflow