I am new to Kuberenetes so Please forgive me if I raise some stupid dumb questions.

So I've created one new namespace (say test1) using below command.

kubectl create ns test1

Than I created one service account in that namespace, using below command.

kubectl create serviceaccount test1-sa

I've one IMAGE named (person-app) of Springboot service which is using Fabric Client API to get list of pods deployed in test namespace.

The image is building properly, and now I applied the following Deployment file in two different namespaces, one in default namespace and other in test1 ns.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: k8-sample-dep
spec:
  replicas: 1
  selector:
    matchLabels:
      app: person-app
  template:
    metadata:
      labels:
        app: person-app
    spec:
      containers:
        - name: person-app
          image: person-app:latest
          imagePullPolicy: Never
          ports:
            - containerPort: 8200

using the following command:

kubectl apply -f k8-deployment.yaml -n test
kubectl apply -f k8-deployment.yaml

Now arises the problem, as per my understanding the default namespace has a default ServiceAccount which is injected into the pods created in default namespace (if no ServiceAccount is specified in yaml file). And that pod should only be able to access resources in that namespace only, and cannot query pods information in other namespace.

But when I hit endpoint of pod which is in Default namespace, the code is able to list the information of PODS which are deployed in "test1" namespace. This is the part where I am not able to understand how is this happening.

Things I tried to look into problem

• Created role and rolebinding for default service account which grants no permission to that service account i.e. verbs: ""
• Tried looking over net how to create serviceAccount with no permission initially (still looking).

Please help.