While creating clusterrole and binding with rolebinding to restrict cluster role . . .

Basavraj Nilkanthe:
While creating clusterrole and binding with rolebinding to restrict cluster role to specific namespace for specific users… I can run kubectl auth can-i create pv --as michelle and it works… but when I list/create/get pv for that michelle use, it is giving permission error. kubectl get get pv --as michelle, it give me permission…

apiVersion: <http://rbac.authorization.k8s.io/v1|rbac.authorization.k8s.io/v1>
kind: ClusterRole
metadata:
  # "namespace" omitted since ClusterRoles are not namespaced
  name: storage-admin
rules:
- apiGroups: [""]
  #
  # at the HTTP level, the name of the resource for accessing Secret
  # objects is "secrets"
  resources: ["pv"]
  verbs: ["*"]
---
apiVersion: <http://rbac.authorization.k8s.io/v1|rbac.authorization.k8s.io/v1>
# This role binding allows "jane" to read pods in the "default" namespace.
# You need to already have a Role named "pod-reader" in that namespace.
kind: RoleBinding
metadata:
  name: storage-admin-rolebinding
subjects:
# You can specify more than one "subject"
- kind: User
  name: michelle # "name" is case sensitive
  apiGroup: <http://rbac.authorization.k8s.io|rbac.authorization.k8s.io>
roleRef:
  # "roleRef" specifies the binding to a Role / ClusterRole
  kind: ClusterRole #this must be Role or ClusterRole
  name: storage-admin # this must match the name of the Role or ClusterRole you wish to bind to
  apiGroup: <http://rbac.authorization.k8s.io|rbac.authorization.k8s.io>

Hinodeya:
It’s normally because you should to create a role not a clusterrole due to namespace.

Basavraj Nilkanthe:
@Hinodeya not getting you… we can bind cluster role to rolebinding to restrict cluster-role to specific namespace

Basavraj Nilkanthe:
this is another scenario we can use in order to control common permission scenario for more than 1 namespace

Basavraj Nilkanthe:
instead of creating multiple role multiple namespace, we can create one cluster role and bind that into multiple namespace