Is their a way to create a ClusterRole using ClusterRolebinding that can provide permissions to create ClusterRoles/ClusterRolebindings and also add a condition somehow it can be limited to one namespace and cannot create resources in other namespaces?
Since, ClusterRole and ClusterRolebinding are not namespaced I'm looking for a way specifically for a way to provide permissions to create ClusterRole and ClusterRolebinding and then limit other resource creation specific to a namespace.
This cannot be achieved with RoleBinding since, it can only limit to namespace and cannot provide the permissions to create the non-namespaced resources.
From what I understand this is what you want to achieve:
If yes, then here is something you can try.
By default, your Kubernetes cluster comes with a set of default ClusterRole objects. In particular there are two default cluster roles that you will focus on:
Binding edit cluster role to a subject either by using RoleBinding or ClusterRoleBinding gives the subject access to edit most common resources like pods, deployments, secrets etc.
The admin cluster role however contains the accesses contained by the edit cluster role as well as accesses to additional namespaced resources, in particular to two resources that would be useful to administer a namespace:
If you bind this admin cluster role using RoleBinding to a subject within a specific namespace, you effectively give that subject the capabilities to administer the namespace, including creating another RoleBinding within that namespace to give some other subjects accesses to that namespace.
To illustrate:
You --(RoleBinding to admin ClusterRole)--> NamespaceAdmin
NamespaceAdmin --(RoleBinding to some Role or ClusterRole)--> OtherSubjectsSince RoleBinding is restricted to a specific namespace, the namespace admin will only have the admin accesses within that namespace only and cannot wreck havoc in other namespaces or at cluster level.