I'm using G I want to create a custom user that have only access to specific namespace, I used this yaml:
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: develop-user
namespace: develop
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: develop-user-full-access
namespace: develop
rules:
- apiGroups: rbac.authorization.k8s.io
resources:
- services
verbs: ["get"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: develop-user-view
namespace: develop
subjects:
- kind: ServiceAccount
name: develop-user
namespace: develop
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: develop-user-full-accessso I get a certificate and added to my kube config, after I switched context to this new service account and figured out that I still have access to everything :(
Why did it happen and how to fix?
my kubeconfig (pastebin copy: https://pastebin.com/s5Nd6Dnn):
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: %certificate-data%
server: https://animeheaven.nyah
name: anime-cluster-develop
contexts:
- context:
cluster: anime-cluster-develop
namespace: develop
user: develop-user
name: anime-develop
current-context: anime-develop
kind: Config
preferences: {}
users:
- name: develop-user
user:
client-key-data: %certdata%
token: %tokenkey%https://medium.com/uptime-99/making-sense-of-kubernetes-rbac-and-iam-roles-on-gke-914131b01922
https://medium.com/@ManagedKube/kubernetes-rbac-port-forward-4c7eb3951e28
these two articles helped me finally! I almost felt into depression because of this stupid stuff, thanks to uptime-99 and ManagedKube I did it! yay!
the key is to create kubernetes-viewer user in gcloud and then create a role for him here is a hint!
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: develop
name: allow-developer-port-forward
rules:
- apiGroups: [""]
resources: ["pods", "pods/portforward"]
verbs: ["get", "list", "create"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: anime-developer-port-access
namespace: develop
subjects:
- kind: User
name: ANIMEDEVERLOP@gmail.com
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: allow-developer-port-forward
apiGroup: ""then
kubectly apply -f accessconfig.yaml
thats it!
have a nice day!
Here's a good article on how to set it up: https://jeremievallee.com/2018/05/28/kubernetes-rbac-namespace-user.html.
In general, your configuration is fine, what I changed is the line - apiGroups: rbac.authorization.k8s.io changed to:
- apiGroups: ["", "extensions", "apps"]Then, applied the following steps:
develop namespace$ kubectl create namespace develop$ kubectl apply -f rbac.yaml$ kubectl cluster-info
$ kubectl get secret develop-user-token-2wsnb -o jsonpath={.data.token} -n develop | base64 --decode
$ kubectl get secret develop-user-token-2wsnb -o "jsonpath={.data['ca\.crt']}" -n develop~/.kube/config file (as described in the linked guide)developdevelop namespace.$ kubectl get service my-service -n mynamespace
Error from server (Forbidden): services "my-service" is forbidden: User "system:serviceaccount:develop:develop-user" cannot get services in the namespace "mynamespace"
$ kubectl get service my-service -n develop
hError from server (NotFound): services "my-service" not found