In Kubernetes if I create a rolebinding with a serviceaccount subject without namespace defined ¿which sa is used?

Question

I can create a rolebinding like this

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: test
  namespace: rolebinding-ns
subjects:
  - kind: ServiceAccount
    name: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: view

The subject defines a ServiceAccount without the namespace, and we have a "default" serviceaccount in this rolebinding-ns namespace but we have some other "default" serviceaccounts in other namespaces, included the system namespaces, are different serviceaccounts but with the same name

The question is. Which serviceaccount is used in this rolebinding? The one that is in the same namespace as the rolebinding or kube-system one or any other?

I just applied the yml of the rolebinding without error but I do not know which serviceaccount is being used.

Answer 1

There's no namespace specified for the service account in your question:

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: test
  namespace: rolebinding-ns
subjects:
  - kind: ServiceAccount
    name: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: view

Which serviceaccount is used in this rolebinding? The one that is in the same namespace as the rolebinding or kube-system one or any other?

RoleBinding is a namespaced object, therefore in this case the one that is in the same namespace as the rolebinding and no other.