kubernetesauthorizationrbacrole-based-access-control

Allow everyone in RoleBinding for a namespace


I am trying to create a public namespace public-ns which should be accessible for all the users and groups. I have defined RoleBinding as following which allows 2 group and 2 users to access the namespace.

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: allow-everyone
  namespace: public-ns
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: pods-services
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: user-one
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: user-two
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: group-one
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: group-two

Now, I want to allow the access to this namespace for all the groups. I have tried giving '*' and any as following it did not work.

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: allow-everyone
  namespace: public-ns
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: pods-services
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: any  ## tried '*' as well

Can anyone please suggest me how can I give permissions for everyone for this specific namespace. If this is not possible any alternatives suggested would be great.

Note: OIDC enabled on K8s with Keycloak.

Thanks in advance.


Solution

  • I think you should use special group system:authenticated

    https://kubernetes.io/docs/reference/access-authn-authz/authentication/#authentication-strategies