Managing access control to deploy k8s resources within a namespace in a cluster


#1

We’re setting up a GKE cluster with namespace-per-service (could evolve to namespace-per-team depending on the need).

This is roughly how we are enabling namespace-level access via k8s service account to bootstrap a service in the cluster:

  1. Create namespace, K8s service account, role, rolebinding. The role allows full access to the namespace, but nothing outside the namespace.
  2. Generate kube config file that encapsulates the configuration for namespace access.
  3. Securely distribute the kube config file to tenant operators.

However, the distribution of the service account credential (via generated kube config file) has raised some concerns:

  1. Sharing single svc account per namespace across multiple developers that have access to the namespace vs creating svc account per tenant operator.
  2. Managing the distribution of the kube config file that encapsulates the cluster cert and svc account token for access appears non-ideal.

I’m curious to know how others who have approached the isolation concern using namespaces are dealing with these.