Kubernetes - dynamic namespaces / security

Question

user1 and user2 have been assigned "admin" role in K8s cluster where they can only work within the namepsace they are assigned. In the case below, ns1 and ns2 respectively

user1 --> assigned namespace ns1

user2 --> assigned namespace ns2

user3 --> assigned namespace ns3 and also have namespace-admin role assigned. namespace-admin role (user3) should be able to create any resource in namespace ns3 and any new namespaces he creates in the cluster. This role should have ability to dynamically create new namespaces. But user3 should NOT have access to ns1 or ns2 namespaces which is not created by user "user3".

user3 will be dynamically creating new namespaces and deploying workloads in those namespaces.

Can this be addressed ? This is similar to Openshift "Projects" concept.

Rico Rico · Accepted Answer · 2018-10-05T17:07:46

Yes, you can restrict user3 to create/delete resources only in the namespace ns3 using a Role bind that role to user3.

Then you can use ClusterRole with only access to the namespaces resource and allow it to create, delete, etc

Something like this:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: my-namespace
  name: user-namespace-role
rules:
- apiGroups: [""]
  resources: ["services", "endpoints", "pods"] # etc...
  verbs: ["get", "list", "create"] # etc

Then:

kubectl create rolebinding user-namespace-binding --role=user-namespace-role --user=user3 --namespace=my-namespace

Then:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: cluster-role-all-namespaces
rules:
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # etc

Then:

kubectl create clusterrolebinding all-namespaces-binding --clusterrole=cluster-role-all-namespaces --user=user3

For user1 and user2 you can create a Role and RoleBinding for their unique namespaces.

Kubernetes - dynamic namespaces / security

2 Answers