When a deployment is associated with a ServiceAccount and the cluster-admin ClusterRole, can this deployment access a Pod under a Deployment in a different namespace, which contains an active NetworkPolicy, that prevents incoming network access from outside this namespace?
Currently, I can reach the Pod in question through their PodIP and FQDN from its own namespace, however I fail to achieve the same with the deployment that has the cluster-admin ClusterRole associated with itself.
This deployment is able to e.g. change any container’s image tag in that cluster, but it can neither access a Pod through its PodIP nor through its FQDN.
Do I need to make an exception in the NetworkPolicy for the access to be allowed? (Not preferred)
Or can I modify the cluster-admin associated deployment to bypass the NetworkPolicy? (Preferred)
When a deployment is associated with a ServiceAccount and the cluster-admin ClusterRole, can this deployment access a Pod under a Deployment in a different namespace, which contains an active NetworkPolicy, that prevents incoming network access from outside this namespace?
RBAC governs access to API resources (control plane) but not the pods themselves (data-plane)
Currently, I can reach the Pod in question through their PodIP and FQDN from its own namespace, however I fail to achieve the same with the deployment that has the cluster-admin ClusterRole associated with itself.
This deployment is able to e.g. change any container’s image tag in that cluster, but it can neither access a Pod through its PodIP nor through its FQDN.
Do I need to make an exception in the NetworkPolicy for the access to be allowed? (Not preferred)
Yes, e.g. allow from namespaces labelled as “admin” or similar
Or can I modify the cluster-admin associated deployment to bypass the NetworkPolicy? (Preferred)
|