Kubernetes – One role for multiple namespaces

 

 

Goal:

There are 2 namespaces, they are "kube-system" and "default". It is necessary to run a cron task in the "kube-system" namespace, which will clear the executed jobs and pods in the "default" space. To do this, create a service account in the "kube-system" namespace, a role with the necessary rights in the "default" namespace, and bind the created role for the created account.

cross-namespace-role.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: jobs-cleanup
  namespace: kube-system
automountServiceAccountToken: false
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
  name: jobs-cleanup
  namespace: default
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list", "delete"]
- apiGroups: ["batch", "extensions"]
  resources: ["jobs"]
  verbs: ["get", "list", "watch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: jobs-cleanup
  namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: jobs-cleanup
subjects:
- kind: ServiceAccount
  name: jobs-cleanup
  namespace: kube-system

 

 

0 0 vote
Article Rating

Tagged: Tags

Подписаться
Уведомление о
guest
0 Comments
Inline Feedbacks
View all comments