Reputation: 2066
Limit the Kubernetes service account access specific namespace
I created a service account that contains the default cluster role "view" which makes it can access all of our resources with view permission.
But I would like to add a limitation so that this service account can't access one of our namespace.
Any idea how can I achieve this?
Br,
Tim
Upvotes: 1
Views: 2655
Answers (2)
Reputation: 61521
In addition to the other answer, when you use a Role, you need to specify the namespace on your RoleBinding. For example:
$ kubectl create rolebinding my-binding --role=myrole --user=myuser --namespace=mynamespace
Upvotes: 1
Reputation: 5903
Kubernetes has only two permission scopes: Cluster(ClusterRole) or Namespace(Role) and no way to limit or exclude a ClusterRole to specific namespaces. If you want to restrict your ServiceAccount to specific namespaces you cannot use a ClusterRole but must use a Role in every namespace the ServiceAccount should have access in.
Upvotes: 3
Related Questions
- Restrict access of a K8s secret to a particular service account
- Limit access of services deployed in Kubernetes namespace
- How to restrict a user to one namespace on kubernetes Dashboard?
- How to give all service accounts in namespace the same cluster role?
- kubernetes service account permissions
- How to give all Kubernetes service accounts access to a specific namespace?
- How do I restrict access to Kubernetes service?
- Restrict user to access only one service in a namespace
- How to restrict access to some Kubernetes namespace allowing access only by some pods?
- How to create Kubernetes users limited to namespaces