How to configure a ClusterRole for namespaced resources

Question

How to configure a ClusterRole for namespaced resources

4.3k Views Asked by Natjo At 16 February 2022 at 09:00

I want to allow a ServiceAccount in namespace A to access a resource in namespace B. To achieve this I connect the ServiceAccount to a ClusterRole via a ClusterRoleBinding. The documentation says I can "use a ClusterRole to [1.] define permissions on namespaced resources and be granted within individual namespace(s)"

But looking through the K8s documentation I can't find a way how to create a ClusterRole with namespaced resources. How can I achieve this?

Original Q&A

There are 3 best solutions below

**gohm'c** · Answer 1 · 2022-02-16T09:17:57.263000

...how to create a ClusterRole with namespaced resources...

Read further down a bit:

A ClusterRole can be used to grant the same permissions as a Role. Because ClusterRoles are cluster-scoped. You can also use them to grant access to:

...

namespaced resources (like Pods), across all namespaces

ClusterRole won't help you to restraint access to a single namespaced object. You can however use RoleBinding to reference a ClusterRole and restraint access to the object in the namespace of the RoleBinding.

**T.R** · Answer 2 · 2022-02-16T09:39:09.030000

I believe you need to create clusterrole not role. example:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: role-grantor
rules:
- apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["rolebindings"]
  verbs: ["create"]
- apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["clusterroles"]
  verbs: ["bind"]
  # omit resourceNames to allow binding any ClusterRole
  resourceNames: ["admin","edit","view"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: role-grantor-binding
  namespace: user-1-namespace
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: role-grantor
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: user-1

above example is from this link.

**damick** · Answer 3 · 2022-04-26T02:56:53.900000

I find both other answers a little confusing, hopefully this is clearer.

You did the right thing in creating a ClusterRole, but you want to bind it using a namespaced RoleBinding, not a ClusterRoleBinding.

Example using your examples. Notice how the RoleBinding is in the B namespace, giving A's ServiceAccount the permissions defined in the ClusterRole, but limited to the B namespace.

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: what-a-is-allowed-to-do-in-b
rules:
- apiGroups: [""]
  resources: ["pods", "deployments"] # etc
  verbs: ["get", "list", "create"]
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-app
  namespace: namespace-a
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: what-a-is-allowed-to-do-in-b
  namespace: namespace-b
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: what-a-is-allowed-to-do-in-b
subjects:
- kind: ServiceAccount
  name: my-app
  namespace: namespace-a

Notes: You have to use the ClusterRole because you can't get outside your own namespace without one. By using a RoleBinding, which is namespaced, you can then limit the access to the scope of the namespace of that RoleBinding.

How to configure a ClusterRole for namespaced resources

There are 3 best solutions below

Related Questions in KUBERNETES

Related Questions in ROLES

Related Questions in K8S-SERVICEACCOUNT

Related Questions in K8S-CLUSTER-ROLE

Trending Questions

Popular # Hahtags

Popular Questions