Restrict specific service account in a namespace

vijay1994 · May 6, 2020, 4:58pm

Kubernetes version: 1.18
Cloud being used: bare-metal
Installation method:
Host OS: OS centos

We have a use case where we want to assign a specific pod within a namespace to a different psp and all the other pods within the same namespace to a different psp. May I know the way where we can create role bindings for the restricted service account?

For example in namespace abc we have 10 pods deployed and in that one pod has root access. So we have created 2 psp , one restricts the deployment of pods which has root access and the other psp that deploys pods which doesnt have root access. We are deploying all the 10 pods within the same namespace but 1 pod has root access and the other 9 doesnt have.

In the above scenario, instead of defining 2 role binding file, is there a way where I can mention like restrict a service account within this namespace inside the subjects section?

You can format your yaml by highlighting it and pressing Ctrl-Shift-C, it will make your output easier to read.

shaik_zillani · February 24, 2021, 2:13pm

I’m giving an example here,
scenario: restricts specific resources in a specific namespace, let’s say I want to
allow only daemonsets in qa namespace.

kubectl create ns qa
kubectl create sa test-user -n qa

create clusterrole and rolebinding,

---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
   name: test-namespace-role
   namespace: qa
rules:
 - apiGroups: ["*"]
   resources: ["daemonsets"]
   verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
   name: test-namespace-only
   namespace: qa
subjects:
 - kind: ServiceAccount
   name: test-user
   namespace: qa
roleRef:
   kind: ClusterRole
   name: test-namespace-role
   apiGroup: rbac.authorization.k8s.io

deploy it,

kubectl apply -f <config> -n qa

Generate a token,

TOKEN=$(kubectl describe secrets "$(kubectl describe sa test-user -n qa | grep -i Tokens | awk '{print $2}')" -n qa| grep token: | awk '{print $2}')
echo $TOKEN

That’s it! now let’s verify using kubeconfig,

kubectl config set-context test-user --cluster=docker-desktop --user=test-user 
kubectl config set-credentials test-user --token=$TOKEN
kubectl config use-context test-user

Test using kubectl,

kubectl get pods 
kubectl get pods -n test
kubectl get cm -n test

Topic		Replies	Views
RBAC for K8s secrets limited to certain pods in same namespace General Discussions	2	718	August 15, 2020
Service Account Access control General Discussions	0	443	October 24, 2019
Permissions to create a pod General Discussions	0	447	February 7, 2020
Does restricting the access based on service account is really secured General Discussions	5	1278	November 13, 2019
Pod creation - permission General Discussions	0	458	February 7, 2020

Restrict specific service account in a namespace

Related Topics