I want to create a service account that can access to specific namespaces, so far some rules are working the issue comes when I export the KUBECONFIG, this service account can do anything in other pods that are in other NS that this account should not have access to.
Here is the code.
# Create a service account for the user
kubectl create serviceaccount ${USERNAME} --namespace=${NAMESPACE_SA}
# Create the RBAC role
cat <<EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: ${ROLE_NAME}
namespace: ${NAMESPACE}
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["create", "get", "update", "list"]
EOF
# Bind the user to the role
kubectl create rolebinding ${USERNAME}-rolebinding --role=${ROLE_NAME} --serviceaccount=${NAMESPACE_SA}:${USERNAME} --namespace=${NAMESPACE}
# Create token for the SA (k8s 1.24+)
kubectl create token ${USERNAME} --namespace=${NAMESPACE_SA}
Accessing to the K8s cluster
export KUBECONFIG=~/.kube/my-sa-kubeconfig && kubectl config use-context kubernetes-admin@kubernetes-user-sa && kubectl get pods -A
# User SA should have access only to the default NS, but this SA can interact as well with all pods in the redis NS
default temporalio-matching-b5576d445-4nwn6 1/1 Running 1 132d
default temporalio-web-5c96bcb4d6-c5gff 1/1 Running 1 132d
default temporalio-worker-767768d4f6-fqdhw 1/1 Running 1 132d
redis-cluster redis-primary-67dd67f4b6-b66gl 1/1 Running 1 343d
redis-cluster redis-replica-7bd77d7485-5n8js 1/1 Running 1 343d
redis-cluster redis-replica-7bd77d7485-zvb4h 1/1 Running 1 343d
Any hints where this is failing? Note, after evaluating the Bash variables files are correct, and no erros are shown.
- I have already tried creating a ClusterRole and bind it to a role for an specific NS , and no luck
- I have tried to limit verbs to only list on the pods resource and I can still do kubectl exec in the NS that the role does not have access
