Service Account Access Limiting by namespace

1/1/2019

I'm setting a kubernetes pods for manage the some pods individual namespace. So that I've created pods with service accounts. Service account yaml shown as below:

  ---
  apiVersion: v1
  kind: ServiceAccount
  metadata:
    name: sa-test-1

  ---
  kind: Role
  apiVersion: rbac.authorization.k8s.io/v1beta1
  metadata:
    name: sa-test-1
  rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["create","delete","get","list","patch","update","watch"]
  - apiGroups: [""]
    resources: ["pods/exec"]a
    verbs: ["create","delete","get","list","patch","update","watch"]
  - apiGroups: [""]
    resources: ["pods/log"]
    verbs: ["get","list","watch"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get"]

  ---
  apiVersion: rbac.authorization.k8s.io/v1beta1
  kind: RoleBinding
  metadata:
    name: sa-test-1
    namespace: qa-namespaces

  roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: Role
    name: sa-test-1
  subjects:
  - kind: ServiceAccount
    name: sa-test-1

For testing the service account or role binding, installed kubectl to the my pod as I see, my pod can access pods at whole clusters (even default namespace).

As summary, My pod can only access in specific namespaces. Please help!

-- ColossusMark1
kubernetes
security

1 Answer

1/2/2019

From what I can see your yaml file is broken in a few places.

As mentioned by @rfum, you need to specify the namespace inside Role and there seems to be extra character at the end of resources: ["pods/exec"], so your Role should look like this:

kind: Role  
apiVersion: rbac.authorization.k8s.io/v1  
metadata:  
  namespace: qa-namespaces  
  name: sa-test-role
rules:  
 - apiGroups: [""]
    resources: ["pods"]
    verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
  - apiGroups: [""]
    resources: ["pods/exec"]
    verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
  - apiGroups: [""]
    resources: ["pods/log"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get"]

You can create the ServiceAccount using the following command:

kubectl create serviceaccount sa-test-serviceaccount --namespace qa-namespaces

Your RoleBinding also is a bit off and should look like this:

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: sa-test-rolebinding
  namespace: qa-namespaces
subjects:
- kind: ServiceAccount
  name: sa-test-serviceaccount
  namespace: qa-namespaces
roleRef:
  kind: Role
  name: sa-test-role
  apiGroup: rbac.authorization.k8s.io

I also recommend reading Configuring permissions in Kubernetes with RBAC, and Using RBAC Authorization.

-- Crou
Source: StackOverflow