I want to allow a ServiceAccount in namespace A to access a resource in namespace B. To achieve this I connect the ServiceAccount to a ClusterRole via a ClusterRoleBinding. The documentation says I can "use a ClusterRole to [1.] define permissions on namespaced resources and be granted within individual namespace(s)"
But looking through the K8s documentation I can't find a way how to create a ClusterRole with namespaced resources. How can I achieve this?
I find both other answers a little confusing, hopefully this is clearer.
You did the right thing in creating a
ClusterRole
, but you want to bind it using a namespacedRoleBinding
, not aClusterRoleBinding
.Example using your examples. Notice how the
RoleBinding
is in the B namespace, giving A'sServiceAccount
the permissions defined in theClusterRole
, but limited to the B namespace.Notes: You have to use the ClusterRole because you can't get outside your own namespace without one. By using a
RoleBinding
, which is namespaced, you can then limit the access to the scope of the namespace of thatRoleBinding
.