grahamoptibrium
Reputation: 13
How do I restrict ClusterRole PolicyRule to a Namespace?
I have a service account with a Policy Rule that works perfectly in mynamespace. But it also works perfectly in other namespaces, which I want to prevent.
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: myapp
namespace: mynamespace
rules:
- apiGroups: ["extensions"]
resources: ["deployments"]
verbs: ["get", "patch"]
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: myapp
namespace: mynamespace
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: myapp
namespace: mynamespace
subjects:
- kind: ServiceAccount
name: myapp
namespace: mynamespace
roleRef:
kind: ClusterRole
name: myapp
apiGroup: rbac.authorization.k8s.io
Upvotes: 1
Views: 129
Answers (1)
Related Questions
- How to include or exclude specific namespaces in cluster role kubernetes
- How to configure a ClusterRole for namespaced resources
- RBAC ClusterRole with permissons limited to namespace and also to create clusterrole
- Isolate pods in a namepace from other namespaces using network policy
- How to restrict access for namespaces like "kube-system" in Kubernetes
- Network Policy - Restricting Egress From Some Namespaces But Allowing Other Namespace
- Kubernetes - ClusterRole with namespace is allowed?
- Can a Pod Security Policy be applied to a namespace?
- Restrictions on selective kubernetes namespaces for non admins
- Rolebinding with ClusterRole is not restricted to namespace when using a ServiceAccount