Managing access control to deploy k8s resources within a namespace in a cluster

amol · November 30, 2018, 8:05pm

We’re setting up a GKE cluster with namespace-per-service (could evolve to namespace-per-team depending on the need).

This is roughly how we are enabling namespace-level access via k8s service account to bootstrap a service in the cluster:

Create namespace, K8s service account, role, rolebinding. The role allows full access to the namespace, but nothing outside the namespace.
Generate kube config file that encapsulates the configuration for namespace access.
Securely distribute the kube config file to tenant operators.

However, the distribution of the service account credential (via generated kube config file) has raised some concerns:

Sharing single svc account per namespace across multiple developers that have access to the namespace vs creating svc account per tenant operator.
Managing the distribution of the kube config file that encapsulates the cluster cert and svc account token for access appears non-ideal.

I’m curious to know how others who have approached the isolation concern using namespaces are dealing with these.

Topic		Replies	Views
K8s RBAC serviceaccount with extended permissions General Discussions	3	852	December 26, 2019
Protection to namespace in cluster General Discussions	7	1671	August 13, 2021
Restrict specific service account in a namespace General Discussions	1	1713	February 24, 2021
Service account has access to everything despite rolebinding General Discussions	0	1260	August 11, 2020
Pod creation - permission General Discussions	0	509	February 7, 2020