A ServiceAccount in a namespace can be given permissions to act in another namespace.

namespace-permission-test.yaml

### Can a ServiceAccount in a namespace be given permissions to act in another namespace?

# Answer: Yes. A RoleBinding in one namespace can cite a ServiceAccount in *any* namespace.

### Test

# $ kubectl apply -f namespace-permission-test.yaml


### Manifests

# Create a pair of namespaces for this test.

apiVersion: v1
kind: Namespace
metadata:
  name: permission-test-namespace-one
spec: {}

---

apiVersion: v1
kind: Namespace
metadata:
  name: permission-test-namespace-two
spec: {}

---

# A Role for creating ConfigMap resources, defined inside namespace One.

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  creationTimestamp: null
  name: configmap-creator
  namespace: permission-test-namespace-one
rules:
  - apiGroups:
      - ""
    resources:
      - configmaps
    verbs:
      - create

---

# A RoleBinding giving the role above to the "default" service account in a different namespace Two
# Note: We could use any ServiceAccount resource in namespace "permission-test-namespace-two".

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: admin-of-namespace-one
  namespace: permission-test-namespace-one
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: configmap-creator
subjects:
- kind: ServiceAccount
  name: default
  namespace: permission-test-namespace-two

---

# Two Jobs, both in the namespace "permission-test-namespace-two", each trying to create a ConfigMap in a namespace.

# This cross-namespace Job will complete with success.

apiVersion: batch/v1
kind: Job
metadata:
  labels:
    run: mutate-namespace-one
  name: mutate-namespace-one
  namespace: permission-test-namespace-two
spec:
  backoffLimit: 1
  template:
    metadata:
      labels:
        run: mutate-namespace-one
    spec:
      containers:
      - image: bitnami/kubectl
        name: mutate-namespace-one
        args:
          - create
          - configmap
          - successfully-create-configmap-in-namespace-one
          - --namespace=permission-test-namespace-one
          - --from-literal=try=success
          #- -v=6
      restartPolicy: Never

---

# This same-namespace Job will complete with error.

apiVersion: batch/v1
kind: Job
metadata:
  labels:
    run: mutate-namespace-two
  name: mutate-namespace-two
  namespace: permission-test-namespace-two
spec:
  backoffLimit: 1
  template:
    metadata:
      labels:
        run: mutate-namespace-two
    spec:
      containers:
      - image: bitnami/kubectl
        name: mutate-namespace-two
        args:
          - create
          - configmap
          - cannot-create-c6nfigmap-in-namespace-two
          - --namespace=permission-test-namespace-two
          - --from-literal=try=fail
          #- -v=8
      restartPolicy: Never


### Results

# Cross-namespace job succeeded, same-namespace job failed.

# $ kubectl -n permission-test-namespace-two get jobs
# NAME                   COMPLETIONS   DURATION   AGE
# mutate-namespace-one   1/1           9s         2m51s
# mutate-namespace-two   0/1           2m51s      2m51s

# $ kubectl -n permission-test-namespace-two logs jobs/mutate-namespace-one
# configmap/successfully-create-configmap-in-namespace-one created

# $ kubectl -n permission-test-namespace-two logs jobs/mutate-namespace-two
# Error from server (Forbidden): configmaps is forbidden: User "system:serviceaccount:permission-test-namespace-two:default" cannot create resource "configmaps" in API group "" in the namespace "permission-test-namespace-two"


### Cleanup
# $ kubectl delete -f namespace-permission-test.yaml