I am attempting to create service account that can create a CRD, but when I bind the service account to cluster-admin, kubernetes is telling me that it doesn't have permission
this is how I bind it
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: my-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: my-user
namespace: my-namespace
and I've created the service account using:
apiVersion: v1
kind: ServiceAccount
metadata:
name: my-user
namespace: my-namespace
but when I run kubectl auth can-i create CustomResourceDefinition --as=my-user --all-namespaces
it returns no
.
I'm failing to see how it does not permission to create CRD's
Turns out you cannot specify just the name of the service account in the --as flag.
running $ kubectl auth can-i create customresourcedefinition --as=system:serviceaccount:my-namespace:my-user
returns yes
I was also trying to limit the CRD that the service account was allowed to create by using the reosurceName
field, but apparently, you need access to get, create
all CRD's in order to create a CRD even if you have all the permissions for the CRD with a specific resourceName