Requirement

I have full access kubeconfig and I want to provide a limited kubeconfig to another user, which only has access to resources in one specific namespace.

Steps

Create the namespace.

1

kubectl create namespace example

Create a ServiceAccount in previous namespace.

1
2
3
4
5

apiVersion: v1
kind: ServiceAccount
metadata:
  name: example-user
  namespace: example
1

kubectl create -f service_account.yaml

Create Role and RoleBinding for the ServiceAccount in previous namespace. Then the ServiceAccount has the access to the resources in that namespace.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: example-user-full-access
  namespace: example
rules:
- apiGroups: ["", "extensions", "apps"]
  resources: ["*"]
  verbs: ["*"]
- apiGroups: ["batch"]
  resources:
  - jobs
  - cronjobs
  verbs: ["*"]

---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: example-user-view
  namespace: example
subjects:
- kind: ServiceAccount
  name: example-user
  namespace: example
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: example-user-full-access
1

kubectl create -f rbac.yaml

Get Token name of the ServiceAccount.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

kubectl describe sa example-user -n example #=>

Name:                example-user
Namespace:           example
Labels:              <none>
Annotations:         kubectl.kubernetes.io/last-applied-configuration:
                       {"apiVersion":"v1","kind":"ServiceAccount","metadata":{"annotations":{},"name":"example-user","namespace":"example"}}
Image pull secrets:  <none>
Mountable secrets:   example-user-token-2nxm9
Tokens:              example-user-token-2nxm9

Get token string of the previous Token.

1

kubectl get secret example-user-token-2nxm9 -n example -o "jsonpath={.data.token}" | base64 -D

Get certificate from the previous Token, save the certificate string without leading and ending words “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–”.

1

kubectl get secret example-user-token-2nxm9 -n example -o "jsonpath={.data['ca\.crt']}" | base64 -D | tr -d "\n"

Now create the kubeconfig file.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

apiVersion: v1
clusters:
  - cluster:
      certificate-authority-data: <place certificate string here>
      server: <Kubernetes cluster API endpoint>
    name: example
contexts:
  - context:
      cluster: example
      namespace: example
      user: example-user
    name: example
current-context: example
kind: Config
preferences: {}
users:
  - name: example-user
    user:
      client-key-data: <place certificate string here>
      token: <place token string here>

By using this kubeconfig, we can only access resources in example namespace.