I have an application that is going to monitor and if necessary scale other resources. At the moment I am using the cluster-admin tokens for it to access the k8s api but I want to limit its access to just monitor and scale.
I know that I need to use Role and Rolebinding for this but I have two questions:
Can I use just one user and bind it to a role in different namespaces? I need to run multiple instances of my application in different namespaces on a cluster
Is there a way to create a new k8s user via yaml file and use that to bind the role?
At the end if I am using a wrong approach please let me know because I am somehow newbie in RBAC.
You seem to have the right approach.
Have a look at the documentation: https://kubernetes.io/docs/reference/access-authn-authz/rbac/
From experience always leave resources that are linked inside the same namespace, one user with one clusterrole and rolebinding.
Still in the case of rolebinding, they are not namespaced so you should be able to bind one user by namespace to a single clusterrole. Never tested it myself so you will have to do some testing.
There is still the question of why not just create a single app, with a serviceaccount having access to all namespaces and so one app deployed in a namespace will be able to access all the resources it needs to managed in all the cluster?