I'm setting a kubernetes pods for manage the some pods individual namespace. So that I've created pods with service accounts. Service account yaml shown as below:
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: sa-test-1
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: sa-test-1
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["pods/exec"]a
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get","list","watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: sa-test-1
namespace: qa-namespaces
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: sa-test-1
subjects:
- kind: ServiceAccount
name: sa-test-1
For testing the service account or role binding, installed kubectl to the my pod as I see, my pod can access pods at whole clusters (even default namespace).
As summary, My pod can only access in specific namespaces. Please help!
From what I can see your yaml
file is broken in a few places.
As mentioned by @rfum, you need to specify the namespace inside Role
and there seems to be extra character at the end of resources: ["pods/exec"]
, so your Role
should look like this:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: qa-namespaces
name: sa-test-role
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
You can create the ServiceAccount
using the following command:
kubectl create serviceaccount sa-test-serviceaccount --namespace qa-namespaces
Your RoleBinding
also is a bit off and should look like this:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: sa-test-rolebinding
namespace: qa-namespaces
subjects:
- kind: ServiceAccount
name: sa-test-serviceaccount
namespace: qa-namespaces
roleRef:
kind: Role
name: sa-test-role
apiGroup: rbac.authorization.k8s.io
I also recommend reading Configuring permissions in Kubernetes with RBAC, and Using RBAC Authorization.