A small question for clarification: If we have a ClusterRole to read Secrets: ( . . .

kodekloud · June 8, 2022, 3:55pm

Basavraj Devpuje:
A small question for clarification:

If we have a ClusterRole to read Secrets: (which is a namespaced resource)

apiVersion: <http://rbac.authorization.k8s.io/v1|rbac.authorization.k8s.io/v1>
kind: ClusterRole
metadata:
  name: secret-reader
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "watch", "list"]

And have a RoleBinding referring to the ClusterRole

apiVersion: <http://rbac.authorization.k8s.io/v1|rbac.authorization.k8s.io/v1>
kind: RoleBinding
metadata:
  name: read-secrets
  namespace: development
subjects:
- kind: User
  name: sam
  apiGroup: <http://rbac.authorization.k8s.io|rbac.authorization.k8s.io>
roleRef:
  kind: ClusterRole
  name: secret-reader
  apiGroup: <http://rbac.authorization.k8s.io|rbac.authorization.k8s.io>

Here the RoleBinding is referring to the ClusterRole for secrets which is a “namespaced” resource (secret).

Does this mean the user can read the Secrets from ALL NAMESPACES? (As we can’t specify namespaces in ClusterRole) though the namespace: developement is mentioned in RoleBinding.

kodekloud · June 8, 2022, 3:55pm

ameya agashe:
I can be corrected but cluster role and cluster role binding go with each other. Role binding will not work.
Role and Role binding go with each other.

kodekloud · June 8, 2022, 3:55pm

Basavraj Devpuje:
@ameya agashe Thank you for the reply. But the RoleBinding can also refer to the ClusterRole. (As far as I read on official docs). I might be wrong.

kodekloud · June 8, 2022, 3:55pm

unnivkn:
Hi @Basavraj Devpuje fyr:

kodekloud · June 8, 2022, 3:55pm

Basavraj Devpuje:
Thank you @unnivkn. That was my confusion but now its clear.