Gaurav Agnihotri
Reputation: 173
How to create one user which have access to all the namespaces except one in kubernetes
How to create one user called kubernetes-dashboard and that user access my all the namespaces ns1, ns2, ns3, ns5 except ns4.
Upvotes: 3
Views: 429
Answers (1)
confused genius
Reputation: 3244
- I have created sample namespaces ns1,ns2,ns3 & ns4. i want my new user to have access to ns1,ns2,ns3 but not to ns4
kubectl get ns
NAME STATUS AGE
calico-system Active 21h
default Active 21h
kube-node-lease Active 21h
kube-public Active 21h
kube-system Active 21h
ns1 Active 36m
ns2 Active 36m
ns3 Active 36m
ns4 Active 36m
tigera-operator Active 21h
- Create a sample service account named "kubernetes-dashboard" in default namespace:
[root@project1kubemaster ~]# kubectl create serviceaccount kubernetes-dashboard
serviceaccount/kubernetes-dashboard created
- Create ClusterRole named "kubernetes-dashboard-role"
[root@project1kubemaster ~]# kubectl create clusterrole kubernetes-dashboard-role --verb=* --resource=*
clusterrole.rbac.authorization.k8s.io/kubernetes-dashboard-role created
- Create separate RoleBinding in each namespaces of our interest (ns1,ns2,n3) but not on ns4:
[root@project1kubemaster ~]# kubectl create rolebinding kubernetes-dashboard-rolebinding-ns1 --clusterrole=kubernetes-dashboard-role --namespace=ns1 --serviceaccount=default:kubernetes-dashboard
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard-rolebinding-ns1 created
[root@project1kubemaster ~]# kubectl create rolebinding kubernetes-dashboard-rolebinding-ns2 --clusterrole=kubernetes-dashboard-role --namespace=ns2 --serviceaccount=default:kubernetes-dashboard
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard-rolebinding-ns2 created
[root@project1kubemaster ~]# kubectl create rolebinding kubernetes-dashboard-rolebinding-ns3 --clusterrole=kubernetes-dashboard-role --namespace=ns3 --serviceaccount=default:kubernetes-dashboard
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard-rolebinding-ns3 created
- Testing :
[root@project1kubemaster ~]# kubectl auth can-i get pods -n ns1 --as system:serviceaccount:default:kubernetes-dashboard
yes
[root@project1kubemaster ~]# kubectl auth can-i get pods -n ns2 --as system:serviceaccount:default:kubernetes-dashboard
yes
[root@project1kubemaster ~]# kubectl auth can-i get pods -n ns3 --as system:serviceaccount:default:kubernetes-dashboard
yes
[root@project1kubemaster ~]# kubectl auth can-i get pods -n ns4 --as system:serviceaccount:default:kubernetes-dashboard
no
Upvotes: 3
Related Questions
- Want to give admin rights to few user in a specific namespace in Kubernetes
- How to restrict user to create namespace in kubernetes
- How to restrict a user to one namespace on kubernetes Dashboard?
- AWS EKS add user restricted to namespace
- Restrict other namespace to access pod
- Prevent a user to spawn pod in restricted namespace on kubernetes
- Grant privileges to specific namespaces for every user
- How to restrict access to some Kubernetes namespace allowing access only by some pods?
- Limit the Kubernetes service account access specific namespace
- How to create Kubernetes users limited to namespaces