K
Q

Grant privileges to specific namespaces for every user

4/21/2020

I have bunch of users. Every user should be able to create/change/delete substances in namespaces like *-stage. Namespaces can be added or removed dynamically. I can create ServiceAccount in every namespace and grant privileges.

I created pod in k8s and install kubectl and ssh into it. So every user has access to this pod and can use kubectl. I know that I can mount ServiceAccount secrets to pod. As far as I have different ServiceAccounts for every namespace I don't know how to grant privileges to all *-stage namespaces for every user. I don't want to create cluster-admin ClusterRoleBinding for ServiceAccount, cause users should be able to modify only *-stage namespaces. Can you help me please?

-- Kirill Bugaev
kubernetes

Similar Questions

How to restart a deployment in kubernetes using go-client
how to build DSN env from several ConfigMap resources?
message consistency test scenario in Kafka
How to establish a secure connecton from GAE (with public access) to a private GKE cluster

1 Answer

4/30/2020

I am posting a community wiki answer based on OP's solution for better visibility:

Actually, I have already solved problem. I create ["*"] role in every *-stage namespace and bind it to ServiceAccount. Then I mount ServiceAccount to kubectl pod which is available over ssh. So every user has unlimited access to *-stage namespaces.

Also I am adding links for the official docs regarding ServiceAccount and role-based access control as a supplement.

-- OhHiMark
Source: StackOverflow