I have a RBAC enabled Kubernetes cluster in GCP
There are one namespace for Tiller and multiple for Services
Right now, I can assign reader role for a specific service account given it's full name
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
name: tiller-reader
namespace: tiller
rules:
- apiGroups: [""]
resources: ["pods"]
verbs:
- "get"
- "watch"
- "list"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: tiller-reader-role-binding
namespace: tiller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: tiller-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: system:serviceaccount:my-namespace-1:my-namespace-1-service-accountThe Service namespaces and accounts are created dynamically. How do I automatically give all services accounts access to the Tiller namespace, for example: to get pods?
to grant a role to all service accounts you must use the Group system:serviceaccounts.
you can try the following config :
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
name: tiller-reader
namespace: tiller
rules:
- apiGroups: [""]
resources: ["pods"]
verbs:
- "get"
- "watch"
- "list"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: tiller-reader-role-binding
namespace: tiller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: tiller-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:serviceaccounts