Md Ishaq R:
Hi all, i have a question about clusterrole and clusterrolebinding, could anyone help me with this Create a new ClusterRole named demo-clusterrole
. Any resource associated with the cluster role should be able to create the following resources:
Deployment StatefulSet DaemonSet
Create a new namespace named demo-namespace
. Within that namespace, create a new ServiceAccount named demo-token
. Bind the new ClusterRole with the custom service-account token
Limited to namespace demo-namespace, bind the new ClusterRole demo-clusterrole
to the new ServiceAccount demo-token.
Md Ishaq R:
Step 1: Create Namespace
kubectl create namespace demo-namespace
Step 2: Create Service Account in Custom Namespace
- apiVersion: v1
- kind: ServiceAccount
- metadata:
- name: demo-token
- namespace: demo-namespace
Step 3: Create a Cluster Role
kubectl create clusterrole demo-clusterrole --verb=create --resource=Deployment,StatefulSet,DaemonSet --dry-run=client -o yaml > clusterrole.yaml
Following is the snippet generated from the above command: - apiVersion: http://rbac.authorization.k8s.io/v1|rbac.authorization.k8s.io/v1
- kind: ClusterRole
- metadata:
- creationTimestamp: null
- name: demo-clusterrole
- rules:
-
- apiGroups:
-
- apps
- resources:
-
- deployments
-
- statefulsets
-
- daemonsets
- verbs:
-
- create
kubectl apply -f clusterrole.yaml
Step 4: Bind the ClusterRole with Service Account
kubectl create clusterrolebinding demo-role-bind --clusterrole=demo-clusterrole --serviceaccount=demo-namespace:demo-token
- create
Md Ishaq R:
but when i check if the permissions are been granted “kubectl auth can-i create deployments --as=demo-namespace:demo-token” it says “NO”
Md Ishaq R:
and when i create a clusterrole and bind it to a rolebinding as --user=demo-token --namespace= demo-namespace instead of serviceaccount=demo-namespace:demo-token , i am able to see the permissions granted, is this the right way… because in the doc i have read it as cluster roles and clusterrolebinding are clusterscope and namespace wide , where as in role and rolebinding it can be limited to a namespace
Sampathkaran:
try using kubectl auth can-i create deployments --as=system:serviceaccount:demo-namespace:demo-token
Sampathkaran:
what I think is that SA is not an useraccount and it is used by other application, so it belongs to system group…
Rixin Lan:
do you try to create a role-binding object to bind the cluster-role with service-account in a namespace?