Deploy in your cluster the manifest with the command:
kubectl create ns debug
kubectl apply -f rbac.yamlGreat! Now you have a serviceAccount that enables you to get, create, list and update deployments in debug namespace!
Exercise: now create a serviceAccount by yourself with the following capabilities:
- get and list secrets in debug namespace
- delete pods in default namespace
test if everything is fine using:
kubectl auth can-i <verb> <resource> --as=system:serviceaccount:<namespace>:<serviceAccountName> -n <namespace>For example:
kubectl auth can-i get pods --as=system:serviceaccount:debug:debug-admin-deployments -n debug
kubectl auth can-i get deployments --as=system:serviceaccount:debug:debug-admin-deployments -n debug