I am trying to understand the permission model in K8s - can you help me with the following example?
Step 1: user "alpha” creates cluster C1
Step 2: alpha creates a rolebinding for user U1 with the role for resource type “Namespace” with the following permissions “ [create delete get list patch update watch] “.
Q1: Want to check that this step above is required for U1 to create a namespace i.e. U1 cannot create a namespace without explicit rolebinding, correct?
Q2: I assume those were all the verbs for Namespace resource – is there more?
Step 3: U1 creates Namespace N1
Q3: At this point, I assume that U1 “use” N1 – for example, to create a pod/deployment in N1? and that we dont need additional rolebindings?
Q4: If answer to Q3 is yes (i.e. no other rolebindings), is there any user Ux that can also use N1 – if so, what is the minimum permission does Ux need in a) cluster C1 b) Namespace N1 ?
Step 4: create a role/role-binding for U2 to “create” pods in N1
Q5:Confirming that without this rolebinding, U2 cannot deploy a pod/ns - correct? What role/rolebinding does U2 need in a) cluster C1 b) Namespace N1 to be able to deploy a pod