This page will guide you into creating namespace administrator on Kubernetes with RBAC enabled; you need to be a platform administrator and have access to api.
The example below is for an administrator with multi-namespace access.
Create the certificates
openssl genrsa -out multi-namespace-admin.key 2048
openssl req -new -key multi-namespace-admin.key \
-out multi-namespace-admin.csr \
-subj "/CN=multi-namespace-admin/O=namespace-admins"
openssl x509 -req -in multi-namespace-admin.csr \
-CA ca.crt \
-CAkey ca.key -CAcreateserial \
-out multi-namespace-admin.crt -days 365
Set credentials and contexts
kubectl config set-credentials multi-namespace-admin \
--client-certificate=multi-namespace-admin.crt \
--client-key=multi-namespace-admin.key
kubectl config set-context multi-admin-demo-context \
--cluster=api.cluster.com \
--namespace=demo \
--user=multi-namespace-admin
kubectl config set-context multi-admin-sandbox-context \
--cluster=api.cluster.com \
--namespace=sandbox \
--user=multi-namespace-admin
Create roles and rolebindings
You need to create one such pair of files for each namespace.
# role-multi-namespace-manager.yml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: demo
name: multi-namespace-manager
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["pods"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
kubectl create -f role-multi-namespace-manager.yml
# rolebinding-multi-namespace-manager.yml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: multi-namespace-manager-binding
namespace: demo
subjects:
- kind: User
name: multi-namespace-admin
apiGroup: ""
roleRef:
kind: Role
name: multi-namespace-manager
apiGroup: ""
kubectl create -f rolebinding-multi-namespace-manager.yml
Create the config file for kubectl
# .kube/config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: XXXXX
server: https://api.cluster.com
name: api.cluster.com
contexts:
- context:
cluster: api.cluster.com
namespace: demo
user: multi-namespace-admin
name: multi-admin-demo-context
- context:
cluster: api.cluster.com
namespace: sandbox
user: multi-namespace-admin
name: multi-admin-sandbox-context
current-context:
kind: Config
preferences: {}
users:
- name: multi-namespace-admin
user:
client-certificate: multi-admin.crt
client-key: multi-admin.key
Usage
In order to access a namespace where you have permissions change the context
kubectl --context=multi-admin-demo-context get pods --namespace=demo
NAME READY STATUS RESTARTS AGE
default-http-backend-2198840601-pmc9k 1/1 Running 1 89d
nginx-ingress-controller-4182399137-mb5l6 1/1 Running 0 3d
nginx-ingress-controller-4182399137-xb8bk 1/1 Running 0 3d
pgsql 1/1 Running 0 69d
tomcat-597660569-8bhqr 1/1 Running 1 27d
kubectl --context=multi-admin-sandbox-context get pods --namespace=sandbox
NAME READY STATUS RESTARTS AGE
default-http-backend-2198840601-z61bq 1/1 Running 0 4d
jenkins 1/1 Running 0 2d
nginx-ingress-controller-3712311050-1n2z9 1/1 Running 0 4d
nginx-ingress-controller-3712311050-dvpvm 1/1 Running 0 4d
repo 1/1 Running 0 5d
Below are some examples where you do not have permissions.
kubectl --context=multi-admin-demo-context get pods --namespace=kube-system
Error from server (Forbidden): the server does not allow access to the requested resource (get pods)
kubectl --context=multi-admin-test-context get pods --namespace=test
error: context "multi-admin-test-context" does not exist
Enjoy your new limited multi-namespace administrator account.