Additional permissions will be granted to account1 and account2 for specific namespaces using a common role.
- Try to list the pods in
ns-1
using GCP Service Account 1.1-kubectl get deployments --namespace=ns-1
- Why not just create a role without specifying a namespace, so that it isn't
in a namespace and can be used anywhere?
Well, actually, if you don't specify a namespace, it just goes into the default namespace, so it's still in a namespace. The default namespace is just like all the other namespaces, except it's where things go by default.
a-kubectl create role deployment-reader \ --verb=get \ --verb=list \ --verb=watch \ --resource=deployments
a-kubectl get roles --all-namespaces
- Create a cluster role that contains the necessary permissions:
a-kubectl create clusterrole deployment-reader \ --verb=get \ --verb=list \ --verb=watch \ --resource=deployments
- Create a role binding to associate the role with GCP Service Account 1.
a-kubectl create rolebinding account1-deployment-reader-binding \ --clusterrole=deployment-reader \ --user=$account1 \ --namespace=ns-1
- Try again.
1-kubectl get deployments --namespace=ns-1
- Try to list the pods in
ns-2
using GCP Service Account 2.2-kubectl get deployments --namespace=ns-2
- Re-use the cluster role that was created.
a-kubectl create rolebinding account2-deployment-reader-binding \ --clusterrole=deployment-reader \ --user=$account2 \ --namespace=ns-2
- List the pods in
ns-2
using GCP Service Account 2.2-kubectl get deployments --namespace=ns-2