1

I'm trying to give a service account my-service-account access to apply deployments within a namespace my-namespace in a Google Kubernetes Engine cluster running Kubernetes 1.14.

This is what my rolebinding looks like:

$ kubectl describe rolebinding -n my-namespace --context my-cluster
Name:         my-namespace-service-account-policy
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  Role
  Name:  edit
Subjects:
  Kind            Name                                 Namespace
  ----            ----                                 ---------
  ServiceAccount  my-service-account                   my-namespace

However, when my service account goes to apply a manifest, I get an error that ends with:

deployments.apps "my-namespace" is forbidden: User "system:serviceaccount:my-namespace:my-service-account" cannot get resource "deployments" in API group "apps" in the namespace "my-namespace": RBAC: role.rbac.authorization.k8s.io "edit" not found

I also tried using "admin" instead of edit. If I instead create a clusterrolebinding with cluster-admin for the same service account, it works fine. How do I grant the account access just to the namespace?

Luke Schlather
  • 228
  • 2
  • 6

1 Answers1

2

The predefined edit name is a ClusterRole, and thus making reference to it as a Role is not referring to the same entity.

The godoc for that declaration seems to imply that it's safe to create the ClusterRoleBinding to the edit ClusterRole since it is scoped to namespace-level editing, but I haven't studied that policy extensively and am not an RBAC wizard

mdaniel
  • 2,338
  • 1
  • 8
  • 13
  • Creating a rolebinding with --clusterrole seems to work: kubectl create rolebinding $rolebinding --namespace $namespace --clusterrole=admin --serviceaccount "${namespace}:${deploymentAccountName}" --context $k8sContext – Luke Schlather Feb 28 '20 at 19:30