Skip to content

Instantly share code, notes, and snippets.

@abhisek

abhisek/k8s-sa-pod-crud.yml

Created March 17, 2020 04:08
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save abhisek/73cd5a0972510ddadca4697fa6516faa to your computer and use it in GitHub Desktop.
Save abhisek/73cd5a0972510ddadca4697fa6516faa to your computer and use it in GitHub Desktop.
Download ZIP
Kubernetes Service Account with Pod CRUD Privilege to Single Namespace
Raw
k8s-sa-pod-crud.yml
apiVersion: v1
kind: Namespace
metadata:
name: developers
---
apiVersion: v1
kind: ServiceAccount
metadata:
namespace: developers
name: developer-sa
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: developer-role-ns
rules:
- apiGroups:
- ""
resources:
- namespaces
- pods
verbs:
- get
- list
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: developer-role-pod
namespace: developers
rules:
- apiGroups:
- ""
resources: ["pods", "pods/exec"]
verbs: ["get", "list", "create", "update", "delete", "exec", "watch", "patch", "edit"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
namespace: developers
name: developer-role-binding1
roleRef:
kind: ClusterRole
name: developer-role-ns
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: developer-sa
namespace: developers
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
namespace: developers
name: developer-role-binding2
roleRef:
kind: Role
name: developer-role-pod
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: developer-sa
namespace: developers
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment