how can i assign permission to service account in azure kubernetes cluster( RBAC is enabled )?

Question

I have created one Azure Kubernetes cluster with RBAC enabled.

So my thinking is if any pod want to access any resource in cluster, it should be associated with service account and service account should have a specific role assigned to access resource.

But in my case I am able to access resource like list pod , list namespace from pod which is associated with a service account that does not have any role assigned.

Please help me know if my understanding is wrong about RBAC or I am doing something wrong here !!

Answer 1

Your understanding is right, i'm not exactly sure about permissions granted to default service account, but if you create your own role and assign it to the service account you can control permissions. sample:

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: myserviceaccount
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: orleans-cluster
  namespace: mynamespace
subjects:
- kind: ServiceAccount
  name: myserviceaccount
  namespace: mynamespace

---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: orleans-cluster
rules:
- apiGroups:
  - orleans.dot.net
  resources:
  - clusterversions
  - silos
  verbs:
  - '*'

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: myserviceccount
  namespace: mynamespace

if you assign myserviceaccount to the pod it will only allow the pod to do whatever is defined in the role. so you need to create a role and a service account and use rolebinding (or clusterrolebinding for cluster wide permissions) to the service account.