I used below file to create service account

apiVersion: v1
kind: ServiceAccount
metadata:
  name: sa-reader
  namespace: default

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  name: reader-cr
rules:
- apiGroups:
  - ""
  resources:
  - '*'
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - extensions
  resources:
  - '*'
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - apps
  resources:
  - '*'
  verbs:
  - get
  - list
  - watch

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-only-rb
subjects:
- kind: ServiceAccount
  name: sa-reader
roleRef:
  kind: ClusterRole
  name: reader-cr
  apiGroup: rbac.authorization.k8s.io

The kubeconfig I created is something similar

apiVersion: v1
kind: Config
preferences: {}

clusters:
- name: qa
  cluster:
    certificate-authority-data: ca
    server: https:/<server>:443

users:
- name: sa-reader
  user:
    as-user-extra: {}
    token: <token>

contexts:
- name: qa
  context:
    cluster: qa
    user: sa-reader
    namespace: default

current-context: qa

With this kubeconfig file, I am able to access resources in the default namespace but not any other namespace. How to access resources in other namespaces as well?

CodePudding user response：

You can operate on a namespace explicitly by using the -n (--namespace) option to kubectl:

$ kubectl -n my-other-namespace get pod

Or by changing your default namespace with the kubectl config command:

$ kubectl config set-context --current --namespace my-other-namespace

With the above command, all future invocations of kubectl will assume the my-other-namespace namespace.

CodePudding user response：

An empty namespace in metadata, defaults to namespace: default and so, your RoleBinding is only applied to the default namespace.

See ObjectMeta.

I suspect (!) you need to apply to RoleBinding to each of the namespaces in which you want the Service Account to be permitted.