0

When I type kubectl edit clusterrolebinding foo-role, I can see something like:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: foo-role
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: edit
subjects:
- kind: ServiceAccount
  name: foo-user
  namespace: ns1
- kind: ServiceAccount
  name: foo-user
  namespace: ns2

I can add a new ClusterRoleBinding for namespace ns3 by appending the following config to above file:

- kind: ServiceAccount
  name: foo-user
  namespace: ns3

However, I want to use Kustomize to add new bindings instead of manually modifying the above file.

I tried to apply the .yaml file below:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: foo-role
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/foo-role
  uid: 64a4a787-d5ab-4c83-be2b-476c1bcb6c96
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: edit
subjects:
- kind: ServiceAccount
  name: foo-user
  namespace: ns3

It did add a new ClusterRoleBinding in the namespace ns3, but it will remove existing ClusterRoleBindings for ns1 and ns2.

Is there a way to add new ClusterRoleBinding with Kustomize without removing existing ones?

johnlinp
  • 853
  • 6
  • 22

1 Answers1

2

Give them different names in the metadata. You didn't make a new one, you just overwrote the same one.

coderanger
  • 52,400
  • 4
  • 52
  • 75
  • No, I don't want to give them different names. I just want to bind `foo-user` in `ns3` to `foo-role`. – johnlinp Mar 13 '20 at 15:00
  • Then list all the subjects at the same time. The object you see is the object you get. It's not like an RPC call, these are REST objects. – coderanger Mar 13 '20 at 15:15
  • (you will have to use an rfc6902 patch for this) – coderanger Mar 13 '20 at 15:15
  • If I use rfc6902 patch, will I be able to only list the subjects I want to add? – johnlinp Mar 15 '20 at 02:46
  • Sure, I guess. Why not make multiple objects though? That's how this is supposed to work. You can have as many bindings as you want. – coderanger Mar 15 '20 at 04:33
  • Because it requires 3 steps: retrieving the latest subject list, modify the subject list, send out the subject list. I don't know how to do the first step in Kustomize automatically. – johnlinp Mar 16 '20 at 00:38
  • I think you misunderstand how kustomize works. It can’t retrieve anything. – coderanger Mar 16 '20 at 03:57
  • After some testings, I found out that I should have use a different name in the metadata. I'll accept your answer. Thank you so much. – johnlinp Mar 17 '20 at 09:09