I have created one Azure Kubernetes cluster with RBAC enabled.
So my thinking is if any pod want to access any resource in cluster, it should be associated with service account and service account should have a specific role assigned to access resource.
But in my case I am able to access resource like list pod , list namespace from pod which is associated with a service account that does not have any role assigned.
Please help me know if my understanding is wrong about RBAC or I am doing something wrong here !!
Your understanding is right, i'm not exactly sure about permissions granted to default service account, but if you create your own role and assign it to the service account you can control permissions. sample:
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: myserviceaccount
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: orleans-cluster
namespace: mynamespace
subjects:
- kind: ServiceAccount
name: myserviceaccount
namespace: mynamespace
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: orleans-cluster
rules:
- apiGroups:
- orleans.dot.net
resources:
- clusterversions
- silos
verbs:
- '*'
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: myserviceccount
namespace: mynamespaceif you assign myserviceaccount to the pod it will only allow the pod to do whatever is defined in the role. so you need to create a role and a service account and use rolebinding (or clusterrolebinding for cluster wide permissions) to the service account.