# 针对demo 命名空间授权
apiVersion: v1
kind: ServiceAccount
metadata:
  name: pre-admin
  namespace: demo
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: demo
  name: pods-reader-writer
rules:
  - apiGroups: [""] # "" indicates the core API group
    resources: ["*"]
    verbs: ["*"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: pods-reader-writer
  namespace: demo
subjects:
  - kind: ServiceAccount #这里可以是User,Group,ServiceAccount
    name: demo-pods-admin
    namespace: demo
roleRef:
  kind: Role #这里可以是Role或者ClusterRole,若是ClusterRole，则权限也仅限于rolebinding的内部
  name: pods-reader-writer
  apiGroup: rbac.authorization.k8s.io