Akshay chittal
Reputation: 189
Kubernetes service account with cluster role
I have created a service account with cluster role, is it possible to deploy pods across different namespaces with this service account through APIs?
Below is the template from which the role creation and binding is done:
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: api-access
rules:
-
apiGroups:
- ""
- apps
- autoscaling
- batch
- extensions
- policy
- rbac.authorization.k8s.io
resources:
- componentstatuses
- configmaps
- daemonsets
- deployments
- events
- endpoints
- horizontalpodautoscalers
- ingress
- jobs
- limitranges
- namespaces
- nodes
- pods
- persistentvolumes
- persistentvolumeclaims
- resourcequotas
- replicasets
- replicationcontrollers
- serviceaccounts
- services
verbs: ["*"]
- nonResourceURLs: ["*"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: api-access
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: api-access
subjects:
- kind: ServiceAccount
name: api-service-account
namespace: default
Upvotes: 2
Views: 2545
Answers (1)
switchboard.op
Reputation: 2288
Yes, your service account will be able to create and act on resources in any namespace because a you've granted it these permissions at the cluster scope using a ClusterRoleBinding.
Upvotes: 1
Related Questions
- How to configure kubectl to act as a service account?
- How to create a Pod that uses non default service account using kubectl run command?
- Kubernetes configuration: Specify different service account
- How to give all service accounts in namespace the same cluster role?
- kubernetes service account permissions
- How to create a service account with no permissions in Kubernetes?
- "kubernetes" service in minikube
- How to login to Kubernetes using service account?
- Kubernetes kubeconfig with service account token
- Service account not respecting its cluster role