0

I can create a rolebinding like this

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: test
  namespace: rolebinding-ns
subjects:
  - kind: ServiceAccount
    name: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: view

The subject defines a ServiceAccount without the namespace, and we have a "default" serviceaccount in this rolebinding-ns namespace but we have some other "default" serviceaccounts in other namespaces, included the system namespaces, are different serviceaccounts but with the same name

The question is. Which serviceaccount is used in this rolebinding? The one that is in the same namespace as the rolebinding or kube-system one or any other?

I just applied the yml of the rolebinding without error but I do not know which serviceaccount is being used.

Roberto
  • 1
  • 1

1 Answers1

1

There's no namespace specified for the service account in your question:

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: test
  namespace: rolebinding-ns
subjects:
  - kind: ServiceAccount
    name: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: view

Which serviceaccount is used in this rolebinding? The one that is in the same namespace as the rolebinding or kube-system one or any other?

RoleBinding is a namespaced object, therefore in this case the one that is in the same namespace as the rolebinding and no other.

gohm'c
  • 13,492
  • 1
  • 9
  • 16
  • However we can define another namespace for that serviceaccount subject. Why you say no other? – Roberto Feb 02 '23 at 10:20
  • The answer is specific to your question as-is, no assumption is made. When there is no namespace specified for the SA, it will be in the same namespace as the rolebinding and no other. – gohm'c Feb 02 '23 at 12:09