I'm trying to create one serviceaccount in Kubernetes with the same token and give them access only to three namespaces. Is this possible in Kubernetes?
What I have done:
I create my serviceaccount:
kubectl create serviceaccount myuserI Create a role:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: myrole
rules:
- apiGroups:
- ""
resources:
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
- secrets
- services/proxy
verbs:
- get
- list
- watch
I create a ClusterRoleBinding
kind: ClusterRoleBinding
metadata:
labels:
name: myRoleBinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: myrole
subjects:
- kind: ServiceAccount
name: myuser
namespace: wordpress
- kind: ServiceAccount
name: myuser
namespace: mysql
- kind: ServiceAccount
name: myuser
namespace: redisI trying to get secrets in the namespace wordpress but get this:
Error from server (Forbidden): pods is forbidden: User
"system:serviceaccount:default:myuser" cannot list resource "secrets" in API group
"" in the namespace "wordpress"Hope someone can help here.
try putting this inside ur clusterrole
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: myrole
rules:
- apiGroups:
- "*"
resources:
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
- secrets
- services/proxy
verbs:
- get
- list
- watch
You want to bind that clusterrole to the service account in all three namespaces. To do this, create a namespaced rolebinding in each namespace.
i.e.
$ kubectl create rolebinding myrolebinding --serviceaccount=default:myuser --clusterrole=myrole --namespace=wordpress
$ kubectl create rolebinding myrolebinding --serviceaccount=default:myuser --clusterrole=myrole --namespace=namespace2
$ kubectl create rolebinding myrolebinding --serviceaccount=default:myuser --clusterrole=myrole --namespace=namespace3