I have a problem understanding RBAC. Tried this both in a plain Katacoda environment as well as in the “Practice Test Role Based Access Control” environment provided with this course. There are two namespaces A and B. Some pod scheduled in namespace A using an image that ships kubectl is able to patch an existing secret in both namespace A and B. Is that supposed to be allowed? I had thought that I would need to create one role per namespace allowing “patch” on the “secrets” type and bind that to the default service account or to a custom service account and make the pod use that. But it just works out of the box.
were you using Role or ClusterRole?
Nothing, it just worked without any RBAC modifications.
Tried it in a real cluster now where these RBAC modifications are required (I use Role).
The demo environments seem to put cluster-admin or similar to default service accounts, that’s why it just worked.