List of Kubernetes RBAC rule verbs

8/26/2019

I want to give my application limited access to get the replicas of different statefulsets (and maybe deployment) and if necessary scale them up or down.

I have created ServiceAccount, Rolebinding and Role for this but I can't find the complete list of rule verbs ("get", "watch", "list", "update") and what are their limitations, for example can I use update for scaling or I need another verb? And where can I find a list or table that described these verbs?

My yaml file:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: scaler-role
  namespace: {{ .Release.Namespace  | quote }}
rules:
- apiGroups: ["apps"]
  resources: ["statefulset"]
  verbs: ["get", "watch", "list", "update"]
-- AVarf
kubernetes
rbac
service-accounts

2 Answers

8/26/2019

Here is the list of RBAC verbs:

RBAC verbs

For scaling, I think you'll need write permissions (create, update and patch) along with read permissions (get, list and watch).

-- Vikram Hosakote
Source: StackOverflow

8/26/2019

A list of verbs can be found here https://kubernetes.io/docs/reference/access-authn-authz/authorization/#review-your-request-attributes

and a brief description can be found here https://kubernetes.io/docs/reference/access-authn-authz/authorization/#determine-the-request-verb

I have a role that I use for updating the docker image tag for deployments which looks like this (I don't use mine to create the deployment, just to patch the image tag)

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: deployer
rules:
- apiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["get", "patch"]
-- David Cheung
Source: StackOverflow