Limit the Kubernetes service account access specific namespace
Kubernetes has only two permission scopes: Cluster(ClusterRole
) or Namespace(Role
) and no way to limit or exclude a ClusterRole
to specific namespaces. If you want to restrict your ServiceAccount to specific namespaces you cannot use a ClusterRole
but must use a Role
in every namespace the ServiceAccount should have access in.
In addition to the other answer, when you use a Role
, you need to specify the namespace
on your RoleBinding
. For example:
$ kubectl create rolebinding my-binding --role=myrole --user=myuser --namespace=mynamespace