Grant a pod access to create new Namespaces
To give a pod control over something in Kubernetes you need at least four things:
- Create or select existing
Role
/ClusterRole
(you pickedadminister-cluster
, which rules are unknown to me). - Create or select existing
ServiceAccount
(you createdk8s-deployer
in namespacetooling
). - Put the two together with
RoleBinding
/ClusterRoleBinding
. - Assign the
ServiceAccount
to a pod.
Here's an example that can manage namespaces:
# Create a service accountapiVersion: v1kind: ServiceAccountmetadata: name: k8s-deployer namespace: tooling---# Create a cluster role that allowed to perform # ["get", "list", "create", "delete", "patch"] over ["namespaces"]apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRolemetadata: name: k8s-deployerrules: - apiGroups: [""] resources: ["namespaces"] verbs: ["get", "list", "create", "delete", "patch"]---# Associate the cluster role with the service accountapiVersion: rbac.authorization.k8s.io/v1kind: ClusterRoleBindingmetadata: name: k8s-deployer # make sure NOT to mention 'namespace' here or # the permissions will only have effect in the # given namespaceroleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: k8s-deployersubjects:- kind: ServiceAccount name: k8s-deployer namespace: tooling
After that you need to mention the service account name in pod spec
as you already did. More info about RBAC in the documentation.