2

Looking if the below scenario is possible or not -

Lets say user(user1) have access only to namespaces default and marketing.

When we perform kubectl get ns it should display both namespaces.

No other namespaces should be displayed even if they exists because the user1 does not have access to any other namespaces.

We could relate this scenario with the databases where a user can see only the databases they have access to when show databases is performed

Avinash Reddy
  • 1,153
  • 7
  • 23
  • What have you tried, what results are you seeing? What have you researched about how kubernetes manages permissions? – Amit Kumar Gupta Aug 08 '19 at 20:45
  • @AmitKumarGupta I tried applying clusterrolebinding, it displays all the namespaces. https://github.com/avinashdesireddy/container-playground/blob/master/kubernetes/ns-reader.yaml Tried just the RoleBinding & Role but `kubectl get ns` is not working by I can list the pods, services, etc within the namespace. – Avinash Reddy Aug 08 '19 at 21:37
  • 1
    Your request makes sense but I believe it's not possible in K8s. There are projects such as [this](https://github.com/k14s/k8s-rbac-proxy) that attempt to workaround this limitation (for the controller use case rather than users running `kubectl`). – Amit Kumar Gupta Aug 08 '19 at 22:05
  • This is not currently possible. – johnharris85 Aug 08 '19 at 22:35

1 Answers1

5

This isn't possible in Kubernetes. Namespaces are the resources providing the scoping mechanism to limit visibility into other resources. There's no meta-namespace that provides scoping rules for namespaces.

Grant David Bachman
  • 2,158
  • 3
  • 21
  • 32