Create a cluster role binding with an exists cluster role named cluster-admin, you can create one if you want.
apiVersion:rbac.authorization.k8s.io/v1beta1kind:ClusterRoleBindingmetadata:name:debug-admin-crbroleRef:apiGroup:rbac.authorization.k8s.iokind:ClusterRolename:cluster-admin# bind to an exists ClusterRole, you can create one if you wantsubjects:- kind:ServiceAccountname:debug-sanamespace:default
And then recreate your pod with this service account. Don't forget to delete the privious cluter role binding for this service account.
$ k exec -it netshoot -c 'kubectl' -- /bin/bash
I have no [email protected]:/$ kubectl get pods
NAME READY STATUS RESTARTS AGE
netshoot 2/2 Running 0 13m
I have no [email protected]:/$ kubectl get svc
Error from server (Forbidden): services is forbidden: User "system:serviceaccount:default:debug-sa" cannot list resource "services" in API group "" in the namespace "default"
I have no [email protected]:/$
What's the difference between role and cluster role?
For role, it's limited in a namespace, it only can limit resources inside a namespace.
Some resource like PV, cluster health, it's not related with a namespace, it's cluster wide, you only can use cluster role to limit them.
A role binding can bind a role to a service account in an other namespace.