Reputation: 682
Is it possible to have more than 1 Role with 1 service account in different namespaces with Kubernetes?
Is it possible to have more than one role bind to a single service account?
Upvotes: 1
Views: 955
Answers (1)
Reputation: 4614
This is possible to have multiple RoleBindings / ClusterRoleBindings that link Roles / ClusterRoles to single ServiceAccount.
You should remember that permissions are additive - you can add another Role / ClusterRole to ServiceAccount to extend its permissions.
I've created simple example to illustrate you how it works.
First I created red and blue Namespaces and test-sa ServiceAccount:
$ kubectl create namespace red
namespace/red created
$ kubectl create namespace blue
namespace/blue created
$ kubectl create serviceaccount test-sa
serviceaccount/test-sa created
By default, the newly created test-sa ServiceAccount doesn't have any permissions:
$ kubectl auth can-i get pod -n red --as=system:serviceaccount:default:test-sa
no
$ kubectl auth can-i get pod -n blue --as=system:serviceaccount:default:test-sa
no
$ kubectl auth can-i get pod -n default --as=system:serviceaccount:default:test-sa
no
Next I created two pod-reader-red and pod-reader-blue Roles that have permissions to get Pods in red and blue Namespaces accordingly:
$ kubectl create role pod-reader-red --verb=get --resource=pods -n red
role.rbac.authorization.k8s.io/pod-reader-red created
$ kubectl create role pod-reader-blue --verb=get --resource=pods -n blue
role.rbac.authorization.k8s.io/pod-reader-blue created
And then using RoleBinding I linked this Roles to test-sa ServiceAccount:
$ kubectl create rolebinding pod-reader-red --role=pod-reader-red --serviceaccount=default:test-sa -n red
rolebinding.rbac.authorization.k8s.io/pod-reader-red created
$ kubectl create rolebinding pod-reader-blue --role=pod-reader-blue --serviceaccount=default:test-sa -n blue
rolebinding.rbac.authorization.k8s.io/pod-reader-blue created
Finally we can check that test-sa ServiceAccount has permission to get Pods in red Namespace using pod-reader-red Role
and test-sa ServiceAccount has permission to get Pods in blue Namespace using pod-reader-blue Role:
$ kubectl auth can-i get pod -n red --as=system:serviceaccount:default:test-sa
yes
$ kubectl auth can-i get pod -n blue --as=system:serviceaccount:default:test-sa
yes
$ kubectl auth can-i get pod -n default --as=system:serviceaccount:default:test-sa
no
Upvotes: 3
Related Questions
- RBAC: roles with multiple namespaces
- Can I connect one service account to multiple namespaces in Kubernetes?
- Role definition for Kubernetes user to work on single namespace
- How to give all service accounts in namespace the same cluster role?
- Namespace for User or Role in Kubernetes
- How to give all Kubernetes service accounts access to a specific namespace?
- Use one users for multiple Rolebindings in Kubernetes
- Is it possible to have multiple rolebindings on the same service account in k8s?
- How to provide access to a service account to read pods in multiple namespaces?
- Can I use Role and ServiceAccounts with several namespaces?