I am trying to workaround an issue with a third party tool. That tool needs to be able to ensure that the namespace I tell it to work in exists. To do that, it runs:
kubectl get namespace my-namespace-name-here
The user that I let the third party tool run as has edit
permissions in the my-namespace-name-here
namespace. (Via a rolebinding
to the namespace using the clusterrole
called edit
.)
But edit permissions is not enough to allow it to check (using that command) if the namespace exists.
Ideally, I would like a way to grant the user permissions to just get the one namespace above. But I would be satisfied if I could grant permissions to just list namespaces and nothing else new at the cluster level.
How can I just add permissions to list namespaces?
I figured it out!
I needed to make a Role
scoped to my-namespace-name-here
that grants the ability to get namespaces. Then make a rolebinding
to grant that permission to my user. Running a kubectl apply -f ./my-yaml-file-below.yaml
did it.
Here is the yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: namespace-reader
namespace: my-namespace-name-here
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get"]
---
apiVersion: "rbac.authorization.k8s.io/v1"
kind: RoleBinding
metadata:
name: my-username-here-namespace-reader
namespace: my-namespace-name-here
roleRef:
apiGroup: "rbac.authorization.k8s.io"
kind: Role
name: namespace-reader
subjects:
- apiGroup: "rbac.authorization.k8s.io"
kind: User
name: "[email protected]"
This allows the user to do a kubectl get namespace
only the the namespace that this is granted on.