Reputation: 2471
Kubernetes - ClusterRole with namespace is allowed?
The documentation says,
If you want to define a role within a namespace, use a
Role; if you want to define a role cluster-wide, use aClusterRole.
So, why am I able to create a ClusterRole in a namespace for a non-namespaced resource StorageClass (or, sc in short)?
kubectl -n apps create clusterrole scrole --verb=create,update,patch,delete --resource=sc
Also, is it correct to say that, a Role is applicable for namespaced resources only and ClusterRole for non-namespaced resources only?
Upvotes: 2
Views: 2374
Answers (1)
Reputation: 44559
The namespace parameter is redundant and not used even if you provide it while creating a ClusterRole.
A ClusterRole can define permission to namespace scoped resources as well and you can use a RoleBinding to assign the permission to a user or group or service account. When you do that it's basically providing permission to the resources within the namespace where the RoleBinding is created.This is to avoid creating duplicate Roles in every namespace to provide the same permission.
Also when you have cluster scoped resources in a ClusterRole you need to use a ClusterRoleBinding to assign the permission to a a user or group or service account.
Upvotes: 5
Related Questions
- Azure Kubernetes - RBAC role for namespace isolation
- Can a Kubernetes Role be granted to access cluster scoped resources such as CRD and ClusterRole?
- How to configure a ClusterRole for namespaced resources
- Role definition for Kubernetes user to work on single namespace
- RBAC ClusterRole with permissons limited to namespace and also to create clusterrole
- How to make a k8s role that allows all operations on roles and rolebindings in a namespace?
- How do I restrict ClusterRole PolicyRule to a Namespace?
- Namespace for User or Role in Kubernetes
- ClusterRoleBinding requires namespace
- Kubernetes pod restrictions on cluster or namespace level