I want to give my application limited access to get the replicas of different statefulsets (and maybe deployment) and if necessary scale them up or down.
I have created ServiceAccount, Rolebinding and Role for this but I can't find the complete list of rule verbs ("get", "watch", "list", "update") and what are their limitations, for example can I use update
for scaling or I need another verb? And where can I find a list or table that described these verbs?
My yaml file:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: scaler-role
namespace: {{ .Release.Namespace | quote }}
rules:
- apiGroups: ["apps"]
resources: ["statefulset"]
verbs: ["get", "watch", "list", "update"]
Here is the list of RBAC verbs:
For scaling, I think you'll need write permissions (create
, update
and patch
) along with read permissions (get
, list
and watch
).
A list of verbs can be found here https://kubernetes.io/docs/reference/access-authn-authz/authorization/#review-your-request-attributes
and a brief description can be found here https://kubernetes.io/docs/reference/access-authn-authz/authorization/#determine-the-request-verb
I have a role that I use for updating the docker image tag for deployments which looks like this (I don't use mine to create the deployment, just to patch the image tag)
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: deployer
rules:
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "patch"]