K
Q

Rolebinding with ClusterRole is not restricted to namespace when using a ServiceAccount

5/29/2019

I want to set a serviceaccount authorizations by associating it to a clusterRole but restricted to a namespace using a rolebinding.

I declared one clusterrole and I configured a rolebinding in a namespace pointing to that clusterrole. However when I access the cluster with the serviceaccount token defined in the rolebinding I'm not restricted to the namespace.
On the other hand, when I'm accessing the cluster with a "User" certificate, this is working. I have only access to the namespace.

Kubernetes v1.13.5

The Rolebinding I defined:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: exploitant
  namespace: myNamespace
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: view
subjects:
- kind: ServiceAccount
  name: default
  namespace: myNamespace
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: myUser

This is what I get:

kubectl auth can-i --token=XXXXXXXX get po -n myNamespace
yes

--> as expected

kubectl auth can-i --token=XXXXXXXX get po -n kube-system
yes

--> not expected !!!

-- Julien Le Fur
kubernetes

Similar Questions

Python logging in GCP kubernetes
Setup QABDI (Qlik Associative Big Data Index) on virtual machine
Fixed pod count per node
How to manage Java Spring applications autoscaling in Kubernetes PROPERLY?
Kubernetes sends traffic to the pod even after sending SIGTERM

1 Answer

5/29/2019

The solution is to create a specific ServiceAccount. The "default" serviceAccount should not be used. By default all pods run with the default service account (if you dont specify one). So, the default service account exist in all namespace, so default service account can read pods in all namespace.

-- Julien Le Fur
Source: StackOverflow