How to limit the scope of Namespace with ClusterRole?

General Discussions
1

Asking for help? Comment out what you need so we can get more information to help you!

Cluster information:

Kubernetes version:
v1.21.12
Installation method:
Host OS: CentOS 7.9.2009
CNI and version: weave-kube:2.8.1
CRI and version: v1.21.0

Hi,

I use ClusterRole and ClusterRoleBinding to limit some one access Kubernetes , and YAML like this:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-role-bin-developer
rules:
- apiGroups: [""]
  resources: ["pods", "pods/log"]
  verbs: ["get", "watch", "list", "delete"]
- apiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["get", "list"]
- apiGroups: [""]
  resources: ["namespaces"]
  # nonResourceURLs: ["bin-app-*"]
  verbs: ["list"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-role-bind-bin-developer
subjects:
- kind: User
  name: bin-developer
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: cluster-role-bin-developer
  apiGroup: rbac.authorization.k8s.io

The user can access all namespace resource, but I want to limit part of the namespace, i have try

- apiGroups: [""]
  resources: ["namespaces"]
  resourceNames: ["app"]
  verbs: ["list"]

but not work, how can i do this limit ?

3

image

you can try it

4

image
image1222×588 27.2 KB

5

Hi,

Thanks for reply.

With -n some-namespace ,i can control multi-namespace level permission, like:

[Role in namespace1]     
[Role in namespace2]    +   [user/serciceaccount]  =   limit kubectl  in namespace1 and namespace2 ,no namespace3

But when I use this in Lens , this not work , because Lens require list namespace permission, and with list namespace permission, user can see all namespace.

6

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name:  demo-name
  namespace: default

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name:  name01
  namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: admin
subjects:
  - kind: ServiceAccount
    name: demo-name
    namespace: default

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name:  name02
  namespace: rook-ceph
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: view
subjects:
  - kind: ServiceAccount
    name: demo-name
    namespace: default

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name:  name03-admin
  namespace: hc
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: demo-name
    namespace: default

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name:  demo-cr
rules:
- apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - list

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name:  demo-crb
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: demo-cr
subjects:
  - kind: ServiceAccount
    name: demo-name
    namespace: default

  1. you can list all namespace’s name
  2. in namespace:default , you have admin privileges,you can ‘edit delete create …’
  3. in namespace:rook-ceph ,you have read-only access
  4. in namespace:hc, you have more authority than admin
  5. in other namspace, you can’t get any information