I'm new to k8s.
I have a deployment with a single pod inside k8test (custom) namespace. for learning purposes, I want to give that pod an admin access.
I failed to achieve this by creating a namespace-role:
kind: 'Role',
apiVersion: 'rbac.authorization.k8s.io/v1',
metadata: {
name: 'super-duper-admin',
namespace: 'k8test',
},
rules: [
{
apiGroups: [''],
resources: ['ResourceAll'],
verbs: ['VerbAll'],
},
],
from the pod`s log:
services is forbidden: User "system:serviceaccount:k8test:default" cannot list resource "services" in API group "" in the namespace "k8test"
apiGroups. What is it?You can find all api groups here.
As documented here
API groups make it easier to extend the Kubernetes API. The API group is specified in a REST path and in the apiVersion field of a serialized object
Pod comes under core API Group and version v1.
In your RBAC '' indicates the core API group.
Create the role as below which gives permission to all apigroups, all resources and all verbs.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: k8test
name: super-duper-admin
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'Bind the role to the service account as below
apiVersion: rbac.authorization.k8s.io/v1
# This role binding allows "jane" to read pods in the "default" namespace.
# You need to already have a Role named "pod-reader" in that namespace.
kind: RoleBinding
metadata:
name: admin-rolebinding
namespace: k8test
subjects:
# You can specify more than one "subject"
- kind: ServiceAccount
name: default # "name" is case sensitive
namespace: k8test
roleRef:
# "roleRef" specifies the binding to a Role / ClusterRole
kind: Role #this must be Role or ClusterRole
name: super-duper-admin # this must match the name of the Role or ClusterRole you wish to bind to
apiGroup: rbac.authorization.k8s.ioExecute below command to verify the RABC is properly applied
kubectl auth can-i list services --as=system:serviceaccount:k8test:default -n k8test More information and examples about RBAC here