Accessing a secure mode cluster from a different Kubernetes namespace

I have a Kubernetes cluster where I deployed CockroachDB in secure mode into a namespace dedicated to the data layer. I would like to access this from other namespaces but the issue I’ve run into is that the init-certs container doesn’t have permission to get the certs because the service account can’t be used cross-namespace.

I’ve gotten as far as to create a role and rolebinding in the service namespace that references the service account but I’m not entirely sure how to get the init container to use that instead of the service account (serviceAccountName).

I’m using this as the example to get this working: https://github.com/cockroachdb/cockroach/blob/master/cloud/kubernetes/example-app-secure.yaml

I would really like for my services to run in different namespaces than CockroachDB if at all possible!

Thanks!

-brian

Hello Brian,

As I recall, the kubernetes API provides a single CA for the entire cluster, regardless of namespace.
The namespace should not matter when sending a CSR, all that matters is that the CSR is approved.

The namespace used by the init-certs container should be the same as the one used by the job it’s attached to, not the one used by the CockroachDB nodes.

In case this does not help, could you share your configs? It’s a little bit hard to tell exactly what you’re specifying.

Right, so I was trying to use the cockroachdb serviceaccount (as per the example) but what I ended up needing to do was create a service account in the new namespace with the correct perms to access the CA.

Thanks!

-brian