Custom KUBECONFIG limited to one namespace

Hi, I would like to create a custom KUBECONFIG file that is restricted to a specific namespace to give to developers to use.
Has anyone managed to get this working with Rancher ?

I have tried the following: e.g. for namespace called “test”

$ kubectl config set-context --current --namespace=test

Create a svc account:

$ kubectl create serviceaccount svctest --namespace test

create a rolebinding with a file like this:

$ cat binding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: svctest
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:

  • kind: ServiceAccount
    name: svctest
    namespace: test

$ kubectl apply -f binding.yaml

$ kubectl get rolebinding
svctest ClusterRole/cluster-admin 47m

I have also tried with the role of just admin

Get the token for the svc account with:

$ kubectl describe secrets/svctest-token-lbnmf

Now we have all we need for the kubeconfig, I have tried it in 2 ways:

  1. edit the kubeconfig from the GUI, remove the existing user and add in the new user:

users:

  • name: clustername-test-svctest
    user:
    token: eyJhbGciOiJSUzI1NiIsImtpZCI6IkdiTy1VSF94WjlSWWpvbEI1cUtzaENqbVViYn

I have tried lots of different combinations , but whatever I do it does not work:

KUBECONFIG=./config.test2 kubectl --insecure-skip-tls-verify get pods
Please enter Username:

  1. The other method I have used is to create a KUBECONFIG using the script from Create a service account and generate a kubeconfig file for it - this will also set the default namespace for the user · GitHub (with a minor edit of changing base64 -D to base64 -d)

This seems to setup everything , although you still have to add the role binding, but again kubectl prompts for username and password

Many Thanks in advance

Steve

I found the answer to my own question:

Give the user access to a single project only in the rancher GUI

Then when they login to the GUI they can only see their project and namespaces.
If they click on cluster, they cannot view the nodes, but they do have the option to download a KUBECONFIG and it is restricted to their namespaces.

At first the context will be set to the default namespace, but they can fix that with kubectl set-context --current --namespace= and that will write it back to the kubeconfig file.

and then it all works :slight_smile: