Rolebindings for service account.

[Geo P.C.]

Hi Team

We are using hnc and using HierarchyConfiguration to define the hierarchy level between different namespaces.

kubectl hns tree bi
bi
├── promotion
│   ├── dev1-promotion
│   └── qa1-promotion


We created a role binding named "app-read-access" and assigned to bi namespace.

We created a service account for "dev1-promotion" but when we list the role bindings for that service we can see the namespace assigned is "bi".

kubectl describe rolebinding app-read-access -n dev1-promotion
Name:         app-read-access
Labels:       app.kubernetes.io/instance=bi-namespace
              hnc.x-k8s.io/inherited-from=bi
Annotations:  Role:
  Kind:       Role
  Name:       app-read-access
Subjects:
  Kind            Name             Namespace
  ----            ----             ---------
  ServiceAccount  app-read-access  bi


Can you please let me know how we can fix this.

Thanks
Geo PC

[Adrian Ludwin]

The "namespace" in that column refers to the namespace that owns the service account, not of the namespace where the permissions are granted. What this rolebinding is saying is that any workload running in namespace "bi" as the service account "app-read-access" has all the permissions from role "app-read-access" in the namespace "dev1-promotion". Is this what you intend to do?

[Geo P.C.]

Yes correct that need to done... 

[Adrian Ludwin]

Great, let us know if you have any other questions.