kubernetes cluster-admin cannot create CRD?

3/1/2022

I am attempting to create service account that can create a CRD, but when I bind the service account to cluster-admin, kubernetes is telling me that it doesn't have permission

this is how I bind it

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: my-role-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: my-user
  namespace: my-namespace

and I've created the service account using:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-user
  namespace: my-namespace

but when I run kubectl auth can-i create CustomResourceDefinition --as=my-user --all-namespaces it returns no.

I'm failing to see how it does not permission to create CRD's

-- Sam Reynolds
kubernetes
kubernetes-helm
rbac

1 Answer

3/2/2022

Turns out you cannot specify just the name of the service account in the --as flag.

running $ kubectl auth can-i create customresourcedefinition --as=system:serviceaccount:my-namespace:my-user returns yes

I was also trying to limit the CRD that the service account was allowed to create by using the reosurceName field, but apparently, you need access to get, create all CRD's in order to create a CRD even if you have all the permissions for the CRD with a specific resourceName

-- Sam Reynolds
Source: StackOverflow