--namespace argument of clusterrolebinding
2 minute read
clusterrolebinding is scoped to the entire cluster regardless of namespace.
However, in the k8s documentation, there is a --namespae argument in cluterrolebinding.
So I tested it.
controlplane ~ ➜ k create ns test-1
namespace/test-1 created
controlplane ~ ➜ k create ns test-2
namespace/test-2 created
controlplane ~ ➜ k get ns
NAME STATUS AGE
default Active 32m
kube-node-lease Active 32m
kube-public Active 32m
kube-system Active 32m
test-1 Active 15m
test-2 Active 15m
controlplane ~ ➜ k create sa tester -n test-1
serviceaccount/tester created
controlplane ~ ➜ k create clusterrole test-role --resource=pods --verb=get,list,create,delete -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: "2024-10-29T00:24:38Z"
name: test-role
resourceVersion: "1911"
uid: eeef6968-2112-47d9-9812-a745682e7afb
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- create
- delete
controlplane ~ ➜ k create clusterrolebinding test-diff-ns-rolebinding --clusterrole=test-role --serviceaccount=test-1:tester -n test-2 -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: "2024-10-29T00:24:43Z"
name: test-diff-ns-rolebinding
resourceVersion: "1922"
uid: 1bc66e49-937c-42be-99b3-8f09b560cd40
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: test-role
subjects:
- kind: ServiceAccount
name: tester
namespace: test-1
controlplane ~ ➜ k auth can-i create pods --as system:serviceaccount:test-1:tester
yes
controlplane ~ ➜ k auth can-i create pods --as system:serviceaccount:test-1:tester -n test-1
yes
controlplane ~ ➜ k auth can-i create pods --as system:serviceaccount:test-1:tester -n test-2
yes
controlplane ~ ➜ k delete clusterrolebinding test-diff-ns-rolebinding
clusterrolebinding.rbac.authorization.k8s.io "test-diff-ns-rolebinding" deleted
controlplane ~ ➜ k auth can-i create pods --as system:serviceaccount:test-1:tester
no
controlplane ~ ✖ k auth can-i create pods --as system:serviceaccount:test-1:tester -n test-1
no
controlplane ~ ✖ k auth can-i create pods --as system:serviceaccount:test-1:tester -n test-2
no
controlplane ~ ✖ k create rolebinding test-diff-ns-rolebinding --clusterrole=test-role --serviceaccount=test-1:tester -n test-2 -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
creationTimestamp: "2024-10-29T00:26:49Z"
name: test-diff-ns-rolebinding
namespace: test-2
resourceVersion: "2098"
uid: 26c6943a-ba5d-4a7c-9773-1b403a68fd6b
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: test-role
subjects:
- kind: ServiceAccount
name: tester
namespace: test-1
controlplane ~ ➜ k auth can-i create pods --as system:serviceaccount:test-1:tester
no
controlplane ~ ✖ k auth can-i create pods --as system:serviceaccount:test-1:tester -n test-1
no
controlplane ~ ✖ k auth can-i create pods --as system:serviceaccount:test-1:tester -n test-2
yes
--namespace exists, but when creating clusterrolebinding, the contents of the --namespace argument are not applied to yaml, and the actions for the set namespace are not applied.
I don’t know the role of the --namespcae argument in the official documentation.
I feedback.
Let me know what you think of this article in the comment section below!
Let me know what you think of this article in the comment section below!