Kubernetes version: 1.18
Cloud being used: bare-metal
Installation method:
Host OS: OS centos
We have a use case where we want to assign a specific pod within a namespace to a different psp and all the other pods within the same namespace to a different psp. May I know the way where we can create role bindings for the restricted service account?
For example in namespace abc we have 10 pods deployed and in that one pod has root access. So we have created 2 psp , one restricts the deployment of pods which has root access and the other psp that deploys pods which doesnt have root access. We are deploying all the 10 pods within the same namespace but 1 pod has root access and the other 9 doesnt have.
In the above scenario, instead of defining 2 role binding file, is there a way where I can mention like restrict a service account within this namespace inside the subjects section?
You can format your yaml by highlighting it and pressing Ctrl-Shift-C, it will make your output easier to read.
1 Like
I’m giving an example here,
scenario: restricts specific resources in a specific namespace, let’s say I want to
allow only daemonsets in qa namespace.
kubectl create ns qa
kubectl create sa test-user -n qa
create clusterrole and rolebinding,
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: test-namespace-role
namespace: qa
rules:
- apiGroups: ["*"]
resources: ["daemonsets"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: test-namespace-only
namespace: qa
subjects:
- kind: ServiceAccount
name: test-user
namespace: qa
roleRef:
kind: ClusterRole
name: test-namespace-role
apiGroup: rbac.authorization.k8s.io
deploy it,
kubectl apply -f <config> -n qa
Generate a token,
TOKEN=$(kubectl describe secrets "$(kubectl describe sa test-user -n qa | grep -i Tokens | awk '{print $2}')" -n qa| grep token: | awk '{print $2}')
echo $TOKEN
That’s it! now let’s verify using kubeconfig,
kubectl config set-context test-user --cluster=docker-desktop --user=test-user
kubectl config set-credentials test-user --token=$TOKEN
kubectl config use-context test-user
Test using kubectl,
kubectl get pods
kubectl get pods -n test
kubectl get cm -n test