Kubernetes - restrict user access to one namespace

In this example, we will create dev namespace and token for access this namespace only

Create Namespace

kubectl create namespace dev

Create Service Account with permissions

Create file permission-dev-namespace.yaml with content:

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: dev-user
  namespace: dev

---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: dev-user-full-access
  namespace: dev
rules:
- apiGroups: ["", "extensions", "apps"]
  resources: ["*"]
  verbs: ["*"]
- apiGroups: ["batch"]
  resources:
  - jobs
  - cronjobs
  verbs: ["*"]

---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: dev-user-view
  namespace: dev
subjects:
- kind: ServiceAccount
  name: dev-user
  namespace: dev
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: dev-user-full-access

Apply this:

kubectl apply -f permission-dev-namespace.yaml

You should see the three components being created.

Get Secrets

Use following command to get the token, use this to access dashboard

kubectl -n dev describe secret $(kubectl -n dev get secret | grep dev-user | awk '{print $1}')