There are two ways we can restrict and add RBAC policies
1. Namespace-wide RBAC policies
defining manifests to implement RBAC policies at the namespace level
with the above example, you have restricted the access to a specific namespace(myapp) for a specific application(Istio) linked with a serviceAccount deployed in the myapp namespace, but if you wish to access the resource of another namespace say myapp2 you will get a 403 forbidden error.
2. Cluster-wide RBAC policies
ClusterRoles are similar to Roles however when assigned to a ServiceAccount can give cluster-wide permissions to access other resources in it.
with the above example, we have implemented clusterRoles to a ServiceAccount to access resources at a cluster-wide level.
if the user tries to access another namespace or system namespace like (kube-system). definitely, it will throw a forbidden error because when we create this user/SA only have access to myapp & myapp2 namespace. Usually, developers no need access to the system namespace (kube-system).
No comments:
Post a Comment