I'm trying to restrict a ServiceAccount's RBAC permissions to manage secrets in all namespaces:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: gitlab-secrets-manager
rules:
- apiGroups:
- ""
resources:
- secrets
resourceNames:
- gitlab-registry
verbs:
- get
- list
- create
- update
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: gitlab-service-account
namespace: gitlab
secrets:
- name: gitlab-service-account-token-lllll
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: gitlab-service-account-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: gitlab-secrets-manager
subjects:
- kind: ServiceAccount
name: gitlab-service-account
namespace: gitlabSo far, I've created the ServiceAccount and the related CRB, however, actions are failing:
secrets "gitlab-registry" is forbidden: User "system:serviceaccount:gitlab:default" cannot get resource "secrets" in API group "" in the namespace "shamil"Anyone know what I'm missing?
You can do the following steps:
gitlab-service-account in gitlab namespace exists in the cluster.ClusterRole as you have given:apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: gitlab-secrets-manager
rules:
- apiGroups:
- ""
resources:
- secrets
resourceNames:
- gitlab-registry
verbs:
- get
- list
- create
- updateClusterRoleBinding to grant permission at the cluster level.apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: gitlab-secrets-manager-clusterrolebinding
subjects:
- kind: ServiceAccount
name: gitlab-service-account
namespace: gitlab
roleRef:
kind: ClusterRole
name: gitlab-secrets-manager
apiGroup: rbac.authorization.k8s.io