ClusterRoleBinding requires namespace

Question

I have the following:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: SomeServiceAccount

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: SomeClusterRole
rules:
  - apiGroups:
      - "myapi.com"
    resources:
      - 'myapi-resources'
    verbs:
      - '*'

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: SomeClusterRoleBinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: SomeClusterRole
subjects:
  - kind: ServiceAccount
    name: SomeServiceAccount

But it throws: The ClusterRoleBinding "SomeClusterRoleBinding" is invalid: subjects[0].namespace: Required value

I thought the whole point of "Cluster"RoleBinding is that it's not limited to a single namespace. Anyone can explain this?

Kubernetes version 1.13.12 Kubectl version v1.16.2 Thanks.

Answer 1

You are not required set a namespace while creating a ServiceAccount, the case here is that you are required to specify the namespace of your Service account when you refer to it while creating a ClusterRoleBinding to select it.

ServiceAccounts are namespace scoped subjects, so when you refer to them, you have to specify the namespace of the service account you want to bind. Source

In your case you can just use default namespace while creating your ClusterRoleBinding for example.

By doing this you are not tieing your ClusterRoleBinding to any namespace, as you can see in this example.

$ kubectl get clusterrolebinding.rbac.authorization.k8s.io/tiller -o yaml 
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRoleBinding","metadata":{"annotations":{},"name":"tiller"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"cluster-admin"},"subjects":[{"kind":"ServiceAccount","name":"tiller","namespace":"kube-system"}]}
  creationTimestamp: "2019-11-18T13:47:59Z"
  name: tiller
  resourceVersion: "66715"
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/tiller
  uid: 085ed826-0a0a-11ea-a665-42010a8000f7
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: tiller
  namespace: kube-system

Answer 2

The cluster-wide aspect of a ClusterRole is that the resources in the rules are cluster-wide. For example, you could use a ClusterRole to give a subject get access to all Pods in all namespaces. With a Role, you could only give a subject get access to Pods in specific namespaces.

The cluster-wide aspect of a ClusterRoleBinding does not apply in any way to the subjects of the binding. In your example, you cannot create a binding for all service accounts with a particular name in all namespaces.