Hi all, i have a question about clusterrole and clusterrolebinding, could anyone . . .

Md Ishaq R:
Hi all, i have a question about clusterrole and clusterrolebinding, could anyone help me with this Create a new ClusterRole named demo-clusterrole. Any resource associated with the cluster role should be able to create the following resources:
Deployment StatefulSet DaemonSet
Create a new namespace named demo-namespace. Within that namespace, create a new ServiceAccount named demo-token. Bind the new ClusterRole with the custom service-account token
Limited to namespace demo-namespace, bind the new ClusterRole demo-clusterrole to the new ServiceAccount demo-token.

Md Ishaq R:
Step 1: Create Namespace
kubectl create namespace demo-namespace
Step 2: Create Service Account in Custom Namespace

  1. apiVersion: v1
  2. kind: ServiceAccount
  3. metadata:
  4. name: demo-token
  5. namespace: demo-namespace
    Step 3: Create a Cluster Role
    kubectl create clusterrole demo-clusterrole --verb=create --resource=Deployment,StatefulSet,DaemonSet --dry-run=client -o yaml > clusterrole.yaml
    Following is the snippet generated from the above command:
  6. apiVersion: http://rbac.authorization.k8s.io/v1|rbac.authorization.k8s.io/v1
  7. kind: ClusterRole
  8. metadata:
  9. creationTimestamp: null
  10. name: demo-clusterrole
  11. rules:
    • apiGroups:
    • apps
  12. resources:
    • deployments
    • statefulsets
    • daemonsets
  13. verbs:
    • create
      kubectl apply -f clusterrole.yaml
      Step 4: Bind the ClusterRole with Service Account
      kubectl create clusterrolebinding demo-role-bind --clusterrole=demo-clusterrole --serviceaccount=demo-namespace:demo-token

Md Ishaq R:
but when i check if the permissions are been granted “kubectl auth can-i create deployments --as=demo-namespace:demo-token” it says “NO”

Md Ishaq R:
Is there something wrong i am doing @Tej_Singh_Rana

Md Ishaq R:
and when i create a clusterrole and bind it to a rolebinding as --user=demo-token --namespace= demo-namespace instead of serviceaccount=demo-namespace:demo-token , i am able to see the permissions granted, is this the right way… because in the doc i have read it as cluster roles and clusterrolebinding are clusterscope and namespace wide , where as in role and rolebinding it can be limited to a namespace

try using kubectl auth can-i create deployments --as=system:serviceaccount:demo-namespace:demo-token

Md Ishaq R:
@Sampathkaran awsome it worked thankx,… y do we have to put system

what I think is that SA is not an useraccount and it is used by other application, so it belongs to system group…

Md Ishaq R:
@Sampathkaran thnkx

Rixin Lan:
do you try to create a role-binding object to bind the cluster-role with service-account in a namespace?