Open amoskyler opened 6 years ago
Afaik you need to enable this via --namespace-restrictions
. Beware though, this will require allowed-role annotations on all namespaces!
Thanks for the response @joerx!
So assuming I deploy my kube2iam daemonset with the --namespace-restrictions
argument, I should be able to create namespaces with wildcard IAM roles, however each namespace will need each namespace utilizing kube2iam to use an annotation?
I have the following kube2iam ready resources set up in the default namespace:
Namespace:
kube2iam args
test pod
kube2iam is allowing the pod to assume the ModifyRoute53 role, which is not within the allowed-roles of
dev/*
- I would expect that this attempt should be rejected as it's not within the iam path.Am I missing something, or is this a bug?