47

I have couple of namespaces - assume NS1 and NS2. I have serviceaccounts created in those - sa1 in NS1 and sa2 in NS2. I have created roles and rolebindings for sa1 to do stuff within NS1 and sa2 within NS2. What I want is give sa1 certain access within NS2 (say only Pod Reader role).

I am wondering if that's possible or not?

Improve this question

1 Answer 1

Reset to default
82

You can simply reference a ServiceAccount from another namespace in the RoleBinding:

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
  name: pod-reader
  namespace: ns2
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: pod-reader-from-ns1
  namespace: ns2
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: pod-reader
subjects:
- kind: ServiceAccount
  name: ns1-service-account
  namespace: ns1
Improve this answer
6
  • can we apply same concept to make communication between Service [NodePort in ns1] and Ingress [Aws-alb-ingress-controller in ns2] i.e; across 2 different namespace?
    – Ashish Kumar
    Sep 24, 2019 at 19:44
  • 1
    @AshishKumar here you can use a service of type ExternalName.
    – LLlAMnYP
    Oct 2, 2019 at 20:19
  • @LLlAMnYP can service of type ExternalName distribute the traffic among multiple pods under same label specified.
    – Ashish Kumar
    Oct 3, 2019 at 6:14
  • @Ashish a service of type external name is nothing more, than a CNAME record in the cluster dns. The balancing is then done by the service it is pointing to.
    – LLlAMnYP
    Oct 3, 2019 at 7:05
  • 1
    There is also a very good and clear article about the topic: octopus.com/blog/k8s-rbac-roles-and-bindings This finally helped me to understand the relationship between service accounts, roles, role bindings, cluster roles and cluster role bindings.
    – Ville
    Aug 13, 2021 at 13:06

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Not the answer you're looking for? Browse other questions tagged or ask your own question.