Goal:
There are 2 namespaces, they are "kube-system" and "default". It is necessary to run a cron task in the "kube-system" namespace, which will clear the executed jobs and pods in the "default" space. To do this, create a service account in the "kube-system" namespace, a role with the necessary rights in the "default" namespace, and bind the created role for the created account.
cross-namespace-role.yaml
apiVersion: v1 kind: ServiceAccount metadata: name: jobs-cleanup namespace: kube-system automountServiceAccountToken: false --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: Role metadata: name: jobs-cleanup namespace: default rules: - apiGroups: [""] resources: ["pods"] verbs: ["get", "watch", "list", "delete"] - apiGroups: ["batch", "extensions"] resources: ["jobs"] verbs: ["get", "list", "watch", "delete"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: jobs-cleanup namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: jobs-cleanup subjects: - kind: ServiceAccount name: jobs-cleanup namespace: kube-system