Kubernetes cluster role admin not able to get deployment status

11/10/2018

I have the following role:

roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: admin

When I do a kubectl proxy --port 8080 and then try doing

http://127.0.0.1:8080/apis/extensions/v1beta1/namespaces/cdp/deployments/{deploymentname}

I get a 200 and everything works fine. However when I do:

http://127.0.0.1:8080/apis/extensions/v1beta1/namespaces/cdp/deployments/{deploymentname}/status

I get forbidden and a 403 status back .

I also am able to do get, create, list,watch on deployments with my admin role .

Any idea as to why /status would give forbidden when I clearly have all the necessary permission as admin for my namespace.

-- Dipayan
amazon-eks
authentication
kubernetes

2 Answers

11/10/2018

You mentioned verbs of the role and you didn't mention resources and apiGroup. Make sure the following are set:

  - apiGroups:
    - apps
    - extensions
    resources:
    - deployments/status
-- Abdennour TOUMI
Source: StackOverflow

11/10/2018

the status subresource doesn't give you any more information than simply fetching the deployment

The admin role permissions do not let you write deployment status. They let you create and delete the deployment objects, controlling the "spec" portion of the object. Status modification permissions are granted to the deployment controller.

-- Jordan Liggitt
Source: StackOverflow