K
Q

How to provide access to a service account to read pods in multiple namespaces?

3/19/2019

I'm going over RBAC in Kubernetes. It appears to me that

  • a ServiceAccount can be bound to a Role within a namespace (or)
  • a ServiceAccount can be bound to a ClusterRole and have cluster-wide access (all namespaces?)

Is it possible for a single Service Account (or User) to not have cluster-wide access but only have read-only access in only a subset of namespaces? If so, can someone elaborate on how this can be achieved. Thanks!

-- not_again_stackoverflow
kubectl
kubernetes
rbac

Similar Questions

GKE RollingUpdate having downtime
K8s ingress with 2 domains both listening on port 80
Traefik for Kubernetes in Azure (redirect to https for the frontend)
MongoError: no mongos proxy available
AWS EKS Kubernetes error: unable to recognize policy: no matches for kind "policy" in version "v1beta1"

1 Answer

3/19/2019

You need to create a RoleBinding for every namespace in each namespace the ServiceAccount should have access to.

There is an example to give the default ServiceAccount permissions to read pods in the development namespace.

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-secrets
  namespace: development # This only grants permissions within the "development" namespace.
subjects:
- kind: ServiceAccount
  name: default
  namespace: kube-system
roleRef:
  kind: Role
  name: pod-reader 
  apiGroup: rbac.authorization.k8s.io
-- Lukas Eichler
Source: StackOverflow