Auto-generated namespace in (Cluster)RoleBindings

[cschmatzler]

According to the Tanka documentation:

Tanka sets metadata.namespace to the value of spec.namespace in spec.json

That works great, and creates all resources, including serviceaccounts, in that spec.json namespace.
When creating a RoleBinding, the subject option requires a namespace to be set. How do I get that in there? Right now, I'm adding an extra namespace option to the jsonnet config, but that kinda defeats the purpose of Tanka adding it automatically.
Is there a way to refer to that spec.json namespace inside a RoleBinding subject?

[khirotaka]

Hello!
I also encountered this issue when binding a Service Account with a Role, but I was able to solve it using the following method:

local k = import 'k.libsonnet';
local tk = import 'tk';

{
  sa:
    k.core.v1.serviceAccount.new('sample')
    + k.core.v1.serviceAccount.metadata.withNamespace(
      tk.env.spec.namespace  // IMPORTANT !!!
    ),

  role:
    k.rbac.v1.role.new('sample-role')
    + k.rbac.v1.role.withRules([
      k.rbac.v1.policyRule.withApiGroups(['apps'])
      + k.rbac.v1.policyRule.withResources(['deployments'])
      + k.rbac.v1.policyRule.withVerbs(['get']),
    ]),

  bind:
    k.rbac.v1.roleBinding.new('sample-role-bind')
    + k.rbac.v1.roleBinding.withSubjects([
      k.rbac.v1.subject.fromServiceAccount(self.sa),
    ])
    + k.rbac.v1.roleBinding.bindRole(self.role),
}

You may have already resolved this, but I hope this information is helpful!