Unable to have multiple ServiceAccount subjects in RoleBinding & ClusterRoleBinding?

Question

I'm encountering a weird problem and not sure if I'm going crazy. I have the following rolebinding and clusterrolebinding yaml:

# Standard CLI role, some executable dashboard permissions.
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: company-engineer-binding
  namespace: company-ns
subjects:
- kind: ServiceAccount
  name: testseven
  apiGroup: ""
- kind: ServiceAccount
  name: testsix
  apiGroup: ""
roleRef:
  kind: Role
  name: company-engineer
  apiGroup: ""
---
# Used to handle a few read-only permissions on the dashboard (listing)
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: company-engineer-dashboard-clusterbinding
subjects:
- kind: ServiceAccount
  name: testseven
  namespace: company-ns
- kind: ServiceAccount
  name: testsix
  namespace: company-ns
roleRef:
  kind: ClusterRole
  name: company-engineer-dashboard
  apiGroup: rbac.authorization.k8s.io

Each of these have an associated role/clusterrole that are verified to work. The issue is that when applying this yaml with kubectl apply -f , it only applies the role to the first subject in the list. So in the above example, only the testseven ServiceAccount gets these roles, while the testsix account gets nothing.

[root@k8s-m01 yaml]# kubectl get rolebinding,clusterrolebinding,role,clusterrole --all-namespaces -o jsonpath='{range .items[?(@.subjects[0].name=="testseven")]}[{.roleRef.kind},{.roleRef.name}]{end}'

[Role,company-engineer][ClusterRole,company-engineer-dashboard]

[root@k8s-m01 yaml]# kubectl get rolebinding,clusterrolebinding,role,clusterrole --all-namespaces -o jsonpath='{range .items[?(@.subjects[0].name=="testsix")]}[{.roleRef.kind},{.roleRef.name}]{end}'

[No output returns]

Could someone point me in the right direction on this? As an aside, I have verified that this same issue does not occur with using Users generated from certificates - it only occurs with ServiceAccounts.

Thanks!

Answer 1

• rolebindings & clusterrolebindings have got applied sucessfully
• It is more of a jsonpath query problem than applying rolebindgs.

kubectl get -f company-engineer-binding.yaml -o yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  creationTimestamp: "2021-07-16T16:46:10Z"
  name: company-engineer-binding
  namespace: company-ns
  resourceVersion: "1120710"
  uid: da5e3a51-55c5-4cf5-896f-d89e87ca1553
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: company-engineer
subjects:
- kind: ServiceAccount            #index 0
  name: testseven
- kind: ServiceAccount            #index 1 
  name: testsix

# following command is working(showing output) because you are looking for key named 'name' with value 'testseven' 'at' index '0' under array 'subjects' as you mentioned ?(@.subjects[0].name=="testseven")
kubectl get rolebinding --all-namespaces -o jsonpath='{range .items[?(@.subjects[0].name=="testseven")]}[{.roleRef.kind},{.roleRef.name}]{end}'
[Role,company-engineer]

#following command does not show any ouput because you looking for key named 'name' with value 'testseven' 'at' index '0' under array 'subjects' as you mentioned ?(@.subjects[0].name=="testsix") but we have 'testsix' at index '1' 
kubectl get rolebinding --all-namespaces -o jsonpath='{range .items[?(@.subjects[0].name=="testsix")]}[{.roleRef.kind},{.roleRef.name}]{end}' 

#so if i change the index to 1 , The command works fine and shows output .
#Also not that i had to run this command on a particular namespace because following command will throw json error because other namespaces might have a rolebinding where they have only one subject/service account means no index 1.
# error message would contain 'Error executing template: array index out of bounds:'
kubectl get rolebinding -n company-ns  -o jsonpath='{range .items[?(@.subjects[1].name=="testsix")]}[{.roleRef.kind},{.roleRef.name}]{end}'
[Role,company-engineer]