Hey all, I am trying to understand permission model in K8s - can you please follow my steps and help me understand?
Step 1: User “alpha” created cluster C1
Step 2: alpha creates a rolebinding for user U1 with the role for resource type “Namespace” with the following permissions “ [create delete get list patch update watch] “.
Q1: This is required for U1 to create a namespace, without this, U1 cannot create a namespace - correct?
Q2: I assume those were all the verbs for Namespace resource – is there more?
Step 3: U1 creates Namespace N1
Q3: At this point, my assumption is U1 can “use” N1 – for example, can U1 create a deployment in N1? Or we need additional rolebindings? My assumption is - no need for additional rolebinding in order for U1 to “use” N1 - correct?
Q4: If answer to Q3 is yes (i.e. no other rolebindings), is there any user Ux that can also use N1 without additional rolebindings? if so, what is the minimum permission user Ux need in a) cluster C1 b) Namespace N1 ?
Step 4: create a role/role-binding for U2 to “create” pods in N1
Q5: What role/rolebinding does U2 need in a) cluster C1 b) Namespace N1 to be able to deploy a pod in N1?
Sorry, I dont have access to cluster to play with… hence asking