Kubernetes – RBAC limited multi-namespace administrator

This page will guide you into creating namespace administrator on Kubernetes with RBAC enabled; you need to be a platform administrator and have access to api.

The example below is for an administrator with multi-namespace access.

Create the certificates

openssl genrsa -out multi-namespace-admin.key 2048
openssl req -new -key multi-namespace-admin.key \
-out multi-namespace-admin.csr \
-subj "/CN=multi-namespace-admin/O=namespace-admins"
openssl x509 -req -in multi-namespace-admin.csr \
-CA ca.crt \
-CAkey ca.key -CAcreateserial \
-out multi-namespace-admin.crt -days 365


Set credentials and contexts

kubectl config set-credentials multi-namespace-admin \
--client-certificate=multi-namespace-admin.crt \
kubectl config set-context multi-admin-demo-context \
--cluster=api.cluster.com \
--namespace=demo \
kubectl config set-context multi-admin-sandbox-context \
--cluster=api.cluster.com \
--namespace=sandbox \


Create roles and rolebindings

You need to create one such pair of files for each namespace.

# role-multi-namespace-manager.yml 
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
   namespace: demo
   name: multi-namespace-manager
   - apiGroups: ["", "extensions", "apps"]
     resources: ["pods"]
     verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
kubectl create -f role-multi-namespace-manager.yml
# rolebinding-multi-namespace-manager.yml 
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
   name: multi-namespace-manager-binding
   namespace: demo
 - kind: User
   name: multi-namespace-admin
   apiGroup: ""
   kind: Role
   name: multi-namespace-manager
   apiGroup: ""
kubectl create -f rolebinding-multi-namespace-manager.yml 

Create the config file for kubectl

# .kube/config
apiVersion: v1
- cluster:
   certificate-authority-data: XXXXX
   server: https://api.cluster.com
 name: api.cluster.com
- context:
   cluster: api.cluster.com
   namespace: demo
   user: multi-namespace-admin
 name: multi-admin-demo-context
- context:
   cluster: api.cluster.com
   namespace: sandbox
   user: multi-namespace-admin
 name: multi-admin-sandbox-context
kind: Config
preferences: {}
- name: multi-namespace-admin
   client-certificate: multi-admin.crt
   client-key: multi-admin.key


In order to access a namespace where you have permissions change the context


kubectl --context=multi-admin-demo-context get pods --namespace=demo
NAME                                       READY    STATUS   RESTARTS  AGE
default-http-backend-2198840601-pmc9k      1/1      Running  1         89d
nginx-ingress-controller-4182399137-mb5l6  1/1      Running  0         3d
nginx-ingress-controller-4182399137-xb8bk  1/1      Running  0         3d
pgsql                                      1/1      Running  0         69d
tomcat-597660569-8bhqr                     1/1      Running  1         27d



kubectl --context=multi-admin-sandbox-context get pods --namespace=sandbox
NAME                                       READY    STATUS   RESTARTS  AGE
default-http-backend-2198840601-z61bq      1/1      Running  0         4d
jenkins                                    1/1      Running  0         2d
nginx-ingress-controller-3712311050-1n2z9  1/1      Running  0         4d
nginx-ingress-controller-3712311050-dvpvm  1/1      Running  0         4d
repo                                       1/1      Running  0         5d


Below are some examples where you do not have permissions.


kubectl --context=multi-admin-demo-context get pods --namespace=kube-system
Error from server (Forbidden): the server does not allow access to the requested resource (get pods)

kubectl --context=multi-admin-test-context get pods --namespace=test
error: context "multi-admin-test-context" does not exist

Enjoy your new limited multi-namespace administrator account.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s