44

I have couple of namespaces - assume NS1 and NS2. I have serviceaccounts created in those - sa1 in NS1 and sa2 in NS2. I have created roles and rolebindings for sa1 to do stuff within NS1 and sa2 within NS2. What I want is give sa1 certain access within NS2 (say only Pod Reader role).

I am wondering if that's possible or not?

030
  • 10,842
  • 12
  • 78
  • 123
rahul
  • 3,018
  • 4
  • 29
  • 28

1 Answers1

77

You can simply reference a ServiceAccount from another namespace in the RoleBinding:

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
  name: pod-reader
  namespace: ns2
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: pod-reader-from-ns1
  namespace: ns2
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: pod-reader
subjects:
- kind: ServiceAccount
  name: ns1-service-account
  namespace: ns1
Robert Panzer
  • 1,419
  • 12
  • 14
  • can we apply same concept to make communication between **Service** [NodePort in ns1] and **Ingress** [Aws-alb-ingress-controller in ns2] i.e; across 2 different namespace? – Ashish Kumar Sep 24 '19 at 19:44
  • 1
    @AshishKumar here you can use a service of type ExternalName. – LLlAMnYP Oct 02 '19 at 20:19
  • @LLlAMnYP can service of type ExternalName distribute the traffic among multiple pods under same label specified. – Ashish Kumar Oct 03 '19 at 06:14
  • @Ashish a service of type external name is nothing more, than a CNAME record in the cluster dns. The balancing is then done by the service it is pointing to. – LLlAMnYP Oct 03 '19 at 07:05
  • Detail: `kind: Role` in the `roleRef section` will be removed by k8s. You could just use `namespace: n2` in this section. – 030 Mar 23 '20 at 11:04
  • 1
    There is also a very good and clear article about the topic: https://octopus.com/blog/k8s-rbac-roles-and-bindings This finally helped me to understand the relationship between service accounts, roles, role bindings, cluster roles and cluster role bindings. – Ville Aug 13 '21 at 13:06