Basavraj Nilkanthe:
While creating clusterrole and binding with rolebinding to restrict cluster role to specific namespace for specific users… I can run kubectl auth can-i create pv --as michelle and it works… but when I list/create/get pv for that michelle use, it is giving permission error. kubectl get get pv --as michelle, it give me permission…
apiVersion: <http://rbac.authorization.k8s.io/v1|rbac.authorization.k8s.io/v1>
kind: ClusterRole
metadata:
# "namespace" omitted since ClusterRoles are not namespaced
name: storage-admin
rules:
- apiGroups: [""]
#
# at the HTTP level, the name of the resource for accessing Secret
# objects is "secrets"
resources: ["pv"]
verbs: ["*"]
---
apiVersion: <http://rbac.authorization.k8s.io/v1|rbac.authorization.k8s.io/v1>
# This role binding allows "jane" to read pods in the "default" namespace.
# You need to already have a Role named "pod-reader" in that namespace.
kind: RoleBinding
metadata:
name: storage-admin-rolebinding
subjects:
# You can specify more than one "subject"
- kind: User
name: michelle # "name" is case sensitive
apiGroup: <http://rbac.authorization.k8s.io|rbac.authorization.k8s.io>
roleRef:
# "roleRef" specifies the binding to a Role / ClusterRole
kind: ClusterRole #this must be Role or ClusterRole
name: storage-admin # this must match the name of the Role or ClusterRole you wish to bind to
apiGroup: <http://rbac.authorization.k8s.io|rbac.authorization.k8s.io>