K
Q

How to configure a ClusterRole for namespaced resources

2/16/2022

I want to allow a ServiceAccount in namespace A to access a resource in namespace B. To achieve this I connect the ServiceAccount to a ClusterRole via a ClusterRoleBinding. The documentation says I can "use a ClusterRole to 1. define permissions on namespaced resources and be granted within individual namespace(s)"

But looking through the K8s documentation I can't find a way how to create a ClusterRole with namespaced resources. How can I achieve this?

-- Natjo
k8s-cluster-role
k8s-serviceaccount
kubernetes
roles

Similar Questions

kubernetes pod name to be used as argument
How to find url of exposed service in kubernetes dashboard?
Cannot connect to Postgres deployed to Kubernetes
the trustAnchors parameter must be non-empty when submitting spark job to k8s
Kubernetes Storage type Hostpath- files mapping issue

3 Answers

2/16/2022

I believe you need to create clusterrole not role. example:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: role-grantor
rules:
- apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["rolebindings"]
  verbs: ["create"]
- apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["clusterroles"]
  verbs: ["bind"]
  # omit resourceNames to allow binding any ClusterRole
  resourceNames: ["admin","edit","view"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: role-grantor-binding
  namespace: user-1-namespace
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: role-grantor
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: user-1

above example is from this link.

-- T.R
Source: StackOverflow
4/26/2022

I find both other answers a little confusing, hopefully this is clearer.

You did the right thing in creating a ClusterRole, but you want to bind it using a namespaced RoleBinding, not a ClusterRoleBinding.

Example using your examples. Notice how the RoleBinding is in the B namespace, giving A's ServiceAccount the permissions defined in the ClusterRole, but limited to the B namespace.

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: what-a-is-allowed-to-do-in-b
rules:
- apiGroups: [""]
  resources: ["pods", "deployments"] # etc
  verbs: ["get", "list", "create"]
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-app
  namespace: namespace-a
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: what-a-is-allowed-to-do-in-b
  namespace: namespace-b
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: what-a-is-allowed-to-do-in-b
subjects:
- kind: ServiceAccount
  name: my-app
  namespace: namespace-a

Notes: You have to use the ClusterRole because you can't get outside your own namespace without one. By using a RoleBinding, which is namespaced, you can then limit the access to the scope of the namespace of that RoleBinding.

-- damick
Source: StackOverflow
2/16/2022

...how to create a ClusterRole with namespaced resources...

Read further down a bit:

A ClusterRole can be used to grant the same permissions as a Role. Because ClusterRoles are cluster-scoped. You can also use them to grant access to:

...

  • namespaced resources (like Pods), across all namespaces

ClusterRole won't help you to restraint access to a single namespaced object. You can however use RoleBinding to reference a ClusterRole and restraint access to the object in the namespace of the RoleBinding.

-- gohm'c
Source: StackOverflow