How to bind roles with service accounts - Kubernetes
Try the below steps
# create service accountkubectl create serviceaccount pod-viewer# Create cluster role/role---kind: ClusterRoleapiVersion: rbac.authorization.k8s.io/v1metadata: name: pod-viewerrules:- apiGroups: [""] # core API group resources: ["pods", "namespaces"] verbs: ["get", "watch", "list"]---# create cluster role bindingkubectl create clusterrolebinding pod-viewer \ --clusterrole=pod-viewer \ --serviceaccount=default:pod-viewer# get service account secretkubectl get secret | grep pod-viewerpod-viewer-token-6fdcn kubernetes.io/service-account-token 3 2m58s# get tokenkubectl describe secret pod-viewer-token-6fdcnName: pod-viewer-token-6fdcnNamespace: defaultLabels: <none>Annotations: kubernetes.io/service-account.name: pod-viewer kubernetes.io/service-account.uid: bbfb3c4e-2254-11ea-a26c-0242ac110009Type: kubernetes.io/service-account-tokenData====token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InBvZC12aWV3ZXItdG9rZW4tNmZkY24iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoicG9kLXZpZXdlciIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImJiZmIzYzRlLTIyNTQtMTFlYS1hMjZjLTAyNDJhYzExMDAwOSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OnBvZC12aWV3ZXIifQ.Pgco_4UwTCiOfYYS4QLwqgWnG8nry6JxoGiJCDuO4ZVDWUOkGJ3w6-8K1gGRSzWFOSB8E0l2YSQR4PB9jlc_9GYCFQ0-XNgkuiZBPvsTmKXdDvCNFz7bmg_Cua7HnACkKDbISKKyK4HMH-ShgVXDoMG5KmQQ_TCWs2E_a88COGMA543QL_BxckFowQZk19Iq8yEgSEfI9m8qfz4n6G7dQu9IpUSmVNUVB5GaEsaCIg6h_AXxDds5Ot6ngWUawvhYrPRv79zVKfAxYKwetjC291-qiIM92XZ63-YJJ3xbxPAsnCEwL_hG3P95-CNzoxJHKEfs_qa7a4hfe0k6HtHTWAca.crt: 1025 bytesnamespace: 7 bytes```Login to dashboard using the above token. you should see only pods and namespaces[![Refer the below link][1]][1] [1]: https://i.stack.imgur.com/D9bDi.png
Okay I've found the solution for this. The major issue was I'm running my cluster on Azure AKS, which I should have mentioned in the question but did not. It was my mistake. In Azure AKS, if rbac is not enabled during AKS creation, then there is no use of roles and role-bindings at all. All request to the api-server will be treated as requests from Admin. This was confirmed by Azure support too. So that was the reason my cluster-role-binding and roles didn't apply.
I see that the .yamls
you provided need some adjustments.
Role
has wrong formatting after the rules
part.
RoleBinding
is missing namespace:
after subjects:
, and also is formatted wrongly.
Try something like this:
kind: RoleapiVersion: rbac.authorization.k8s.io/v1metadata: namespace: assembly-prod name: testreadrolerules: - apiGroups: [""] resources: ["pods"] verbs: ["get", "watch", "list"]---kind: RoleBindingapiVersion: rbac.authorization.k8s.io/v1metadata: name: testrolebinding namespace: assembly-prodsubjects: - kind: ServiceAccount name: testsa namespace: assembly-prodroleRef: kind: Role name: testreadrole apiGroup: rbac.authorization.k8s.io
There is a very useful guide about Non-Privileged RBAC User Administration in Kubernetes where you can find more detailed info regarding this particular topic.