K
Q

Kubernetes RBAC apiGroup field in RoleBinding and ClusterRoleBinding

10/23/2018

Why we need to write the apiGroup key in this definition again and again , if it is the same every time:

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
 name: web-rw-deployment
 namespace: some-web-app-ns
subjects:
- kind: User
 name: "joesmith@example.com"
 apiGroup: rbac.authorization.k8s.io
- kind: Group
 name: "webdevs"
 apiGroup: rbac.authorization.k8s.io
roleRef:
 kind: Role
 name: web-rw-deployment
 apiGroup: rbac.authorization.k8s.io
  • this looks so redudant , that is repeating for everything
  • if we need to write it , what are the other values
  • if there are not other values for the field RBAC apiGroup , then k8s should assume that value automatically apiGroup: rbac.authorization.k8s.io

this makes the yaml too redundant , is there any way to work around this. can we just skip this key? OR can we declare this somewhere globally.

-- Ijaz Ahmad Khan
kubernetes
rbac

Similar Questions

Kubernetes edit secret error: "cannot restore slice from..."
Kubectl command to list pods of a deployment in kubernetes
kubespray dashboard warning forbidden popups
How can kubernetes recover Pods stuck in Error or Terminating
Kubernetes HPA. Settings for right down scale
Kubernetes Ingress path rewrite dosen't work as expected

1 Answer

10/23/2018

Good question. The rationale that I can think of is that there may be different APIs in the future that could be supported, for example, rbacv2.authorization.k8s.io and you wouldn't like to restrict references and subjects to just one for compatibility reasons.

My take on this is that it would be nice to have yet another optional global field for RoleBinding besides 'subjects' called something like 'bindingApigroup'. Feel free to open an issue: kind/feature, sig/auth and/or sig/api-machinery.

Also, there might be more rationale/details in the sig-auth design proposals.

-- Rico
Source: StackOverflow