Hazelcast kubernetes discovery

Question

We have spring boot application with embedded hazelcast deployed on kubernetes platform. We are using kubernetes API strategy to auto discovery of the pods. My understanding is that we need to run RBAC.yaml which basically grants the roles to service account for kubernetes API auto discovery. My problem is that RBAC.yaml creates the clusterrole and clusterrolebinding. As a tenant in kubernetes cluster I do not have cluster level access. Can I manage same at namespace level by creating role and rolebinding.In other words, can auto discovery works with role and rolebinding instead of clusterrole and clusterrolebinding. Please confirm Note that all my application pods are bound to a namespace.

Regards S

we are testing with role and rolebinding. will publish the results here

Answer 1

Yes, you can use Role and RoleBinding instead of ClusterRole and ClusterRoleBinding. It worked for me fine.

UPDATE 2023-04-13 Example ("tpm" is the name of the application):

Dedicated ServiceAccount (recommended):

apiVersion: v1
kind: ServiceAccount
metadata:
  name: tpm
  namespace: default

RBAC:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: tpm-hazelcast
  namespace: default
rules:
- apiGroups:
  - ""
  resources:
  - endpoints
  - pods
  - nodes
  - services
  verbs:
  - get
  - list
- apiGroups:
  - discovery.k8s.io
  resources:
  - endpointslices
  verbs:
  - get
  - list

---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: tpm-hazelcast
  namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: tpm-hazelcast
subjects:
- kind: ServiceAccount
  name: tpm
  namespace: default