Reputation: 11
Service account - access through API
I created a namespace xxx; the role for this namespace is to get pods, services, etc. I created a service account yyy and a role binding yyy to the role in namespace xxx.
When I try to check something through the API with a secret token, for example
curl -kD - -H "Authorization: Bearer $TOKEN https://localhost:6443/api/v1/namespaces/xxx/pods
I get a "403 forbidden" error.
So I a cluster role binding of my service account yyy to cluster role view, and after that of course a user can see pods of my namespace, but can see other pods from other namespaces too.
How can I restrict service account yyy tee see pods, services, etc. only from a specific namespace?
Upvotes: 0
Views: 98
Answers (1)
Reputation: 18161
To allow access only in a specific namespace create a rolebinding, not a clusterrolebinding:
kubectl create rolebinding my-viewer --clusterrole=view --serviceaccount=xxx:yyy -n xxx
Upvotes: 1
Related Questions
- Accessing Kubernetes api via Bearer Token Authorization
- Accessing k8s cluster with service account token
- How do I create a Service Account in Kubernetes and associate a Token to the new Service Account
- Get token from service-account using kubectl describe
- k8s - how to project service account token into pod
- kubernetes service account permissions
- Kubernetes service account tokens
- How to login to Kubernetes using service account?
- Kubernetes kubeconfig with service account token
- Service Account token management in Kubernetes