Creating Kubernetes RBAC for Developer Access to Database without Ingress

hi there. i’m trying to create a kubernetes access (with rbac so far) to allow developer to access the cluster thru
kubectl to a designated namespace, to access a database. I don’t want or need to use a ingress.
what is the most reasonable way, to make that happen? So far i’ve created the serviceaccount,role,rolebinding but haven’t gotten the kubectl config right, to allow that access.
We also have Rancher in use, if that is of help, though the main purpose is to 1) let developer install kubectl so he can do port-forward to the pod and then access the database thru a local port…

If you only need that the user has access to the database you dont need RBAC

restrict the access port to the user IP, its all

ok, but if there is no ingress then how do you mean that

well, create a node port service or externalIP service

RBAC is used to limit the access to resources inside kubernetes clusters, but RBAC dont restrict connections to the services that you have exposed in your k8s cluster

perhaps that would also be a solution, but i would rather get the kubectl access working , in time that would not be the only access anyway i guess…

but you need that your users can access resources INSIDE the cluster, or you need that your users can access to the services exposed in your cluster?

i need that someone could access some resources inside the cluster, that might add up in time, i don’t specifically need to expose services for each one of those cases no

ok, how you manage your auth service in your cluster, maybe ldap?

for example i create several databases and for some time they need direct access to the database…but otherwise ingress is not needed really, bit complicated issue with database access using ingresses so far

ohh, then you only need expose your service

at the moment there is no ldap setup yet … only some local users using with rancher mostly

you dont need that your users perform actions like kubectl get pods bla -n bla

no…just access to the port

ok, so you dont need RBAC

so you suggest service with nodeport then

ok… if i already have a service then i can add another one for this temporary use that would work in parallel as well?

thanks then , i’ll try to get it to work :wink: