{"id":2051,"date":"2020-06-17T20:58:29","date_gmt":"2020-06-17T17:58:29","guid":{"rendered":"https:\/\/artem.services\/?p=2003"},"modified":"2020-11-09T12:47:37","modified_gmt":"2020-11-09T09:47:37","slug":"2051","status":"publish","type":"post","link":"https:\/\/artem.services\/?p=2051&lang=en","title":{"rendered":"Kubernetes — One role for multiple namespaces"},"content":{"rendered":"

\"\"<\/p>\n

 <\/p>\n

 <\/p>\n

Goal:<\/h3>\n

There are 2 namespaces, they are "kube-system<\/strong>" and "default<\/strong>". It is necessary to run a cron task in the "kube-system<\/strong>" namespace, which will clear the executed jobs and pods in the "default<\/strong>" space. To do this, create a service account in the "kube-system<\/strong>" namespace, a role with the necessary rights in the "default<\/strong>" namespace, and bind the created role for the created account.<\/p>\n

cross-namespace-role.yaml<\/h3>\n
\r\napiVersion: v1\r\nkind: ServiceAccount\r\nmetadata:\r\n  name: jobs-cleanup\r\n  namespace: kube-system\r\nautomountServiceAccountToken: false\r\n---\r\napiVersion: rbac.authorization.k8s.io\/v1beta1\r\nkind: Role\r\nmetadata:\r\n  name: jobs-cleanup\r\n  namespace: default\r\nrules:\r\n- apiGroups: [""]\r\n  resources: ["pods"]\r\n  verbs: ["get", "watch", "list", "delete"]\r\n- apiGroups: ["batch", "extensions"]\r\n  resources: ["jobs"]\r\n  verbs: ["get", "list", "watch", "delete"]\r\n---\r\napiVersion: rbac.authorization.k8s.io\/v1\r\nkind: RoleBinding\r\nmetadata:\r\n  name: jobs-cleanup\r\n  namespace: default\r\nroleRef:\r\n  apiGroup: rbac.authorization.k8s.io\r\n  kind: Role\r\n  name: jobs-cleanup\r\nsubjects:\r\n- kind: ServiceAccount\r\n  name: jobs-cleanup\r\n  namespace: kube-system\r\n<\/pre>\n
 <\/p>\n
 <\/p>\n","protected":false},"excerpt":{"rendered":"
    Goal: There are 2 namespaces, they are "kube-system" and "default". It is necessary to run a cron task in the "kube-system" namespace, which will clear the executed jobs and pods in the "default" space. To do this, create a service account in the "kube-system" namespace, a role with the necessary rights in the … \u041f\u0440\u043e\u0434\u043e\u043b\u0436\u0438\u0442\u044c \u0447\u0438\u0442\u0430\u0442\u044c "Kubernetes — One role for multiple namespaces"<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[559],"tags":[549,551,1681,1683],"_links":{"self":[{"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/posts\/2051"}],"collection":[{"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/artem.services\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2051"}],"version-history":[{"count":2,"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/posts\/2051\/revisions"}],"predecessor-version":[{"id":2053,"href":"https:\/\/artem.services\/index.php?rest_route=\/wp\/v2\/posts\/2051\/revisions\/2053"}],"wp:attachment":[{"href":"https:\/\/artem.services\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2051"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/artem.services\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2051"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/artem.services\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2051"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}