We’re setting up a GKE cluster with namespace-per-service (could evolve to namespace-per-team depending on the need).
This is roughly how we are enabling namespace-level access via k8s service account to bootstrap a service in the cluster:
- Create namespace, K8s service account, role, rolebinding. The role allows full access to the namespace, but nothing outside the namespace.
- Generate kube config file that encapsulates the configuration for namespace access.
- Securely distribute the kube config file to tenant operators.
However, the distribution of the service account credential (via generated kube config file) has raised some concerns:
- Sharing single svc account per namespace across multiple developers that have access to the namespace vs creating svc account per tenant operator.
- Managing the distribution of the kube config file that encapsulates the cluster cert and svc account token for access appears non-ideal.
I’m curious to know how others who have approached the isolation concern using namespaces are dealing with these.