Skip to main content
Version: 2.6

Grant access to a namespace for non-admin user

If you are a user with administrator privileges and if you want to provide non-admin permissions to a service account user1 to access a specific namespace ns1, perform the following steps:

  1. Create a service account user1 in the namespace ns1:

    apiVersion: v1
    kind: ServiceAccount
    metadata:
       name: user1
       namespace: ns1
    note

    If your Kubernetes version is below v1.22, use rbac.authorization.k8s.io/v1beta1 API version of ClusterRole, ClusterRoleBinding, Role, and RoleBinding. For more information, refer RBAC resources.

  2. Create a clusterRole and clusterRolebinding for the service account with the required permissions:

    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
       name: user1-clusterrole
    rules:
    - apiGroups: ["*"]
       resources: ["namespaces", "clusterrolebindings", "persistentvolumes", "clusterroles", "nodes", "storageclasses"]
       verbs: ["get", "list", "watch", "create"]
    - apiGroups: ["stork.libopenstorage.org"]
       resources: ["schedulepolicies"]
       verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["stork.libopenstorage.org"] # for controller support
       resources: ["*"]
       verbs: ["list", "get", "watch"]
    - apiGroups: ["snapshot.storage.k8s.io"]
       resources: ["volumesnapshotclasses"]
       verbs: ["get", "list"]
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
       name: user1-clusterrolebinding
    subjects:
    - kind: ServiceAccount
       name: user1
       namespace: ns1
    roleRef:
       apiGroup: rbac.authorization.k8s.io
       kind: ClusterRole
       name: user1-clusterrole

  3. Create a role and rolebinding for the namespace with the required permission in the namespace ns1:

    apiVersion: rbac.authorization.k8s.io/v1
    kind: Role
    metadata:
       name: ns1-role
       namespace: ns1
    rules:
    - apiGroups: ["", "extensions", "apps"]
       resources: ["*"]
       verbs: ["*"]
    - apiGroups: ["batch"]
       resources:
       - jobs
       - cronjobs
       verbs: ["*"]
    - apiGroups:
       - stork.libopenstorage.org
       resources: ["*"]
       verbs:
       - create
       - delete
       - deletecollection
       - get
       - list
       - patch
       - update
       - watch
    apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
       name: ns1-rolebinding
       namespace: ns1
    subjects:
    - kind: ServiceAccount
       name: user1
       namespace: ns1
    roleRef:
       apiGroup: rbac.authorization.k8s.io
       kind: Role
       name: ns1-role

  4. Provide the read permissions for the get and list operations for the configmap in the kube-system namespace. You need to link user1 service account created in the namespace ns1 in the rolebinding. You need not create a new service account in the kube-system.

    note

    Regardless of the namespace, you need these permissions for configmap in the kube-system namespace to read the configmap created by Stork.

    apiVersion: rbac.authorization.k8s.io/v1
    kind: Role
    metadata:
       name: ks-role
       namespace: kube-system
       rules:
       - apiGroups: [""]
          resources: ["configmaps"]
          verbs: ["get", "list"]
    apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
       name: ks-rolebinding
       namespace: kube-system
    subjects:
    - kind: ServiceAccount
          name: user1
          namespace: ns1
    roleRef:
          apiGroup: rbac.authorization.k8s.io
          kind: Role
          name: ks-role

  5. Create the secret token for the service account user1.

    note

    If your Kubernetes version is 1.24 and above, the secret token does not get assigned to the service account token by default. If your Kubernetes version is below 1.24, skip this step.

    apiVersion: v1
    kind: Secret
    metadata:
       name: user1-token
       namespace: ns1
       annotations:
       kubernetes.io/service-account.name: user1
    type: kubernetes.io/service-account-token

  6. Fetch the service account token and certificate to update the kube-config:

    kubectl get secret user1-token -n ns1 -o "jsonpath={.data.token}" | base64 -d
    kubectl get secret user1-token -n ns1 -o "jsonpath={.data['ca\.crt']}"

  7. Create a kube-config file in the below format, update the required values along with certificate and service account token obtained from previous step.

    apiVersion: v1
    clusters:
    - cluster:
       certificate-authority-data: <certificate>
       server: https://<cluster-IP>:6443
       name: cluster.local
    contexts:
    - context:
       cluster: cluster.local
       namespace: <namespace-name>
       user: <service-account-name>
       name: <service-account>@cluster.local
    current-context: <service-account>@cluster.local
    kind: Config
    preferences: {}
    users:
    - name: <service-account>
       user:
       token: <service-account-token>
       client-key-data: <certificate>

    Sample kube-config for the service account user1:

    apiVersion: v1
    clusters:
    - cluster:
       certificate-authority-data: LS0tLSJQ0FURS0tLS0tCTkJnq..................aTXHWlFBYU5aTUZjd0==
       server: https://x.x.x.x:6443
       name: cluster.local
    contexts:
    - context:
       cluster: cluster.local
       namespace: ns1
       user: user1
       name: user1@cluster.local
    current-context: user1@cluster.local
    kind: Config
    preferences: {}
    users:
    - name: user1
       user:
       token: ABgHtLSJQ0FURSOpha0tCTkJnq..................aTXHWlFBYU5aTUZjd0
       client-key-data: LS0tLSJQ0FURS0tLS0tCTkJnq..................aTXHWlFBYU5aTUZjd0==
Last updated on
Was this page helpful?