Verify the Role and Binding

Now that the user, Role, and RoleBinding are defined, lets switch back to rbac-user, and test.

To switch back to rbac-user, issue the following command that sources the rbac-user env vars, and verifies they’ve taken:

. rbacuser_creds.sh; aws sts get-caller-identity

You should see output reflecting that you are logged in as rbac-user.

As rbac-user, issue the following to get pods in the rbac namespace:

kubectl get pods -n rbac-test

The output should be similar to:


NAME                    READY     STATUS    RESTARTS   AGE
nginx-55bd7c9fd-kmbkf   1/1       Running   0          23h

Try running the same command again, but outside of the rbac-test namespace:

kubectl get pods -n kube-system

You should get an error similar to:


No resources found.
Error from server (Forbidden): pods is forbidden: User "rbac-user" cannot list resource "pods" in API group "" in the namespace "kube-system"

Because the role you are bound to does not give you access to any namespace other than rbac-test.