Add flag that limits Kubernetes API calls to a certain namespace

[linki]

Alternative implementation for https://github.com/linki/chaoskube/pull/108

[cazeaux]

Hello.

Is there any chance to merge this PR ? We have used this branch to test chaoskube in a namespaced application (with openshift) and this is working fine.

Regards.

[desponda]

@linki what is left on this to make it merge-able?

[linki]

This is merged and released in v0.27.0.

You can now use --client-namespace-scope=target-namespace to limit all API calls to the target-namespace namespace, allowing you to only give chaoskube permission to that namespace. The flags --namespaces and --namespace-labels kind of become obsolete in that mode.

Here are the RBAC rules that worked for me:

# global role that allows chaoskube to list and delete pods as well as create events.
# you could also use a namespaced role but you would need to redefine it in each target namespace.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: chaoskube
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["list", "delete"]
- apiGroups: [""]
  resources: ["events"]
  verbs: ["create"]
---
# a non-global role binding in the target namespace from the chaoskube service account to the global role.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: chaoskube
  namespace: target-namespace
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: chaoskube
subjects:
- kind: ServiceAccount
  name: chaoskube
  namespace: chaoskube
---
# service account for chaoskube in the namespace where chaoskube runs.
apiVersion: v1
kind: ServiceAccount
metadata:
  name: chaoskube
  namespace: chaoskube

/cc @cazeaux @desponda @SleepyBrett @spapinistarkware @PunchGrey