Pregunta 10 - RBAC ServiceAccount, Role y RoleBinding

Question 10 | RBAC ServiceAccount Role RoleBinding

Use context: kubectl config use-context k8s-c1-H

Create a new ServiceAccount processor in Namespace project-hamster. Create a Role and RoleBinding, both named processor as well. These should allow the new SA to only create Secrets and ConfigMaps in that Namespace.

kubectl create sa processor

k  create role processor -n project-hamster --verb=create --resource=secret --resource=configmap

k describe role processor -n project-hamster
Name:         processor
Labels:       <none>
Annotations:  <none>
PolicyRule:
  Resources   Non-Resource URLs  Resource Names  Verbs
  ---------   -----------------  --------------  -----
  configmaps  []                 []              [create]
  secrets     []                 []              [create]

# Observa que en el service account necesitamos colocar el namespace
k  create rolebinding processor -n project-hamster --role processor --serviceaccount project-hamster:processor

k describe rolebindings processor
Name:         processor
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  Role
  Name:  processor
Subjects:
  Kind            Name       Namespace
  ----            ----       ---------
  ServiceAccount  processor  project-hamster

# Y para verificar usamos can-i
k -n project-hamster auth can-i create secret --as system:serviceaccount:project-hamster:processor
yes

k -n project-hamster auth can-i create configmap --as system:serviceaccount:project-hamster:processor
yes

k -n project-hamster auth can-i create pod --as system:serviceaccount:project-hamster:processor
no

Question 10 | RBAC ServiceAccount Role RoleBinding​

Question 10 | RBAC ServiceAccount Role RoleBinding