Open
Description
Hi
When applying a clusterrolebinding or rolebinding where the subject kind is Group, there should not be a namespace as a group is not a namespaced resource.
There's documentation here: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-examples
Terraform Version
Terraform v0.12.16
- provider.aws v2.42.0
- provider.kubernetes v1.10.0
Affected Resource(s)
Please list the resources as a list, for example:
- kubernetes_cluster_role_binding
- kubernetes_role_binding
Terraform Configuration Files
resource "kubernetes_cluster_role_binding" "developer_cluster" {
metadata {
name = "company-developer"
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "ClusterRole"
name = kubernetes_cluster_role.developer_cluster.metadata.0.name
}
subject {
api_group = "rbac.authorization.k8s.io"
kind = "Group"
name = "company:developer"
}
}
resource "kubernetes_role_binding" "developer_namespace" {
metadata {
name = "company-developer"
namespace = kubernetes_namespace.app.metadata.0.name
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "ClusterRole"
name = kubernetes_cluster_role.developer_namespace.metadata.0.name
}
subject {
api_group = "rbac.authorization.k8s.io"
kind = "Group"
name = "company:developer"
}
}Expected Behavior
The subject blocks of the role bindings should be created as per the config without a namespace.
Actual Behavior
The role bindings were created and the namespace field was added with a value of default.
Steps to Reproduce
Please list the steps required to reproduce the issue, for example:
terraform apply