Skip to content

Instantly share code, notes, and snippets.

@ellieayla
Created May 13, 2019 17:03
Show Gist options
  • Save ellieayla/50d1a203df52b9fd5a0706c860012ff4 to your computer and use it in GitHub Desktop.
Save ellieayla/50d1a203df52b9fd5a0706c860012ff4 to your computer and use it in GitHub Desktop.
A ServiceAccount in a namespace can be given permissions to act in another namespace.
### Can a ServiceAccount in a namespace be given permissions to act in another namespace?
# Answer: Yes. A RoleBinding in one namespace can cite a ServiceAccount in *any* namespace.
### Test
# $ kubectl apply -f namespace-permission-test.yaml
### Manifests
# Create a pair of namespaces for this test.
apiVersion: v1
kind: Namespace
metadata:
name: permission-test-namespace-one
spec: {}
---
apiVersion: v1
kind: Namespace
metadata:
name: permission-test-namespace-two
spec: {}
---
# A Role for creating ConfigMap resources, defined inside namespace One.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: null
name: configmap-creator
namespace: permission-test-namespace-one
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
---
# A RoleBinding giving the role above to the "default" service account in a different namespace Two
# Note: We could use any ServiceAccount resource in namespace "permission-test-namespace-two".
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: admin-of-namespace-one
namespace: permission-test-namespace-one
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: configmap-creator
subjects:
- kind: ServiceAccount
name: default
namespace: permission-test-namespace-two
---
# Two Jobs, both in the namespace "permission-test-namespace-two", each trying to create a ConfigMap in a namespace.
# This cross-namespace Job will complete with success.
apiVersion: batch/v1
kind: Job
metadata:
labels:
run: mutate-namespace-one
name: mutate-namespace-one
namespace: permission-test-namespace-two
spec:
backoffLimit: 1
template:
metadata:
labels:
run: mutate-namespace-one
spec:
containers:
- image: bitnami/kubectl
name: mutate-namespace-one
args:
- create
- configmap
- successfully-create-configmap-in-namespace-one
- --namespace=permission-test-namespace-one
- --from-literal=try=success
#- -v=6
restartPolicy: Never
---
# This same-namespace Job will complete with error.
apiVersion: batch/v1
kind: Job
metadata:
labels:
run: mutate-namespace-two
name: mutate-namespace-two
namespace: permission-test-namespace-two
spec:
backoffLimit: 1
template:
metadata:
labels:
run: mutate-namespace-two
spec:
containers:
- image: bitnami/kubectl
name: mutate-namespace-two
args:
- create
- configmap
- cannot-create-c6nfigmap-in-namespace-two
- --namespace=permission-test-namespace-two
- --from-literal=try=fail
#- -v=8
restartPolicy: Never
### Results
# Cross-namespace job succeeded, same-namespace job failed.
# $ kubectl -n permission-test-namespace-two get jobs
# NAME COMPLETIONS DURATION AGE
# mutate-namespace-one 1/1 9s 2m51s
# mutate-namespace-two 0/1 2m51s 2m51s
# $ kubectl -n permission-test-namespace-two logs jobs/mutate-namespace-one
# configmap/successfully-create-configmap-in-namespace-one created
# $ kubectl -n permission-test-namespace-two logs jobs/mutate-namespace-two
# Error from server (Forbidden): configmaps is forbidden: User "system:serviceaccount:permission-test-namespace-two:default" cannot create resource "configmaps" in API group "" in the namespace "permission-test-namespace-two"
### Cleanup
# $ kubectl delete -f namespace-permission-test.yaml
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment