How do I determine which apiGroup
any given resource belongs in?
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: default
name: thing
rules:
- apiGroups: ["<wtf goes here>"]
resources: ["deployments"]
verbs: ["get", "list"]
resourceNames: []
You can run below command to get apiVersion and other details.
kubectl explain <Resource Name>
kubectl explain deployment
To get API resources - supported by your Kubernetes cluster:
kubectl api-resources -o wide
example:
NAME SHORTNAMES APIGROUP NAMESPACED KIND VERBS
deployments deploy apps true Deployment [create delete deletecollection get list patch update watch]
deployments deploy extensions true Deployment [create delete deletecollection get list patch update watch]
To get API versions - supported by your Kubernetes cluster:
kubectl api-versions
You can verify f.e. deployment:
kubectl explain deploy
KIND: Deployment
VERSION: extensions/v1beta1
DESCRIPTION:
DEPRECATED - This group version of Deployment is deprecated by
apps/v1beta2/Deployment.
Furthermore you can investigate with api-version:
kubectl explain deploy --api-version apps/v1
Shortly you an specify in you apiGroups like:
apiGroups: ["extensions", "apps"]
You can also configure those settings for your cluster using (for example to test it will work with next 1.16 release) by passing options into --runtime-config
in kube-apiserver.
Additional resources:
Additional Notable Feature Updates for specific release please follow like:
Continued deprecation of extensions/v1beta1, apps/v1beta1, and apps/v1beta2 APIs; these extensions will be retired in 1.16!
This is a little tricky, because both groups apps and extensions are in use in recent kubernetes versions, for example
kubectl get deployments # It is still requested via extensions api group by default.
kubectl get deployments.apps # request via apps group
so until deployments are removed from the extensions apigroup you have to use both apigroups in your role.
kubectl api-resources -o wide
provide the supported API resources on the system.
[suresh.vishnoi@xxx1309 ~]$ kubectl api-resources -o wide
NAME SHORTNAMES APIGROUP NAMESPACED KIND VERBS
bindings true Binding [create]
componentstatuses cs false ComponentStatus [get list]
configmaps cm true ConfigMap [create delete deletecollection get list patch update watch]
endpoints ep true Endpoints [create delete deletecollection get list patch update watch]
events ev true Event [create delete deletecollection get list patch update watch]
controllerrevisions apps true ControllerRevision [create delete deletecollection get list patch update watch]
daemonsets ds apps true DaemonSet [create delete deletecollection get list patch update watch]
deployments deploy apps true Deployment [create delete deletecollection get list patch update watch]
replicasets rs apps true ReplicaSet [create delete deletecollection get list patch update watch]
kubectl api-resources -o wide | grep -i deployment
will provide the relevant information
apps is the apiGroup for the deployment resource
DaemonSet, Deployment, StatefulSet, and ReplicaSet: will no longer be served from extensions/v1beta1, apps/v1beta1, or apps/v1beta2 in v1.16. Migrate to the apps/v1 API, available since v1.9. Existing persisted data can be retrieved/updated via the apps/v1 API./api-deprecations-in-1-16
It is included in the online API documentation.
In your example, if you click through and find the documentation for Role, it lists the group and version in both the sidebar ("Role v1 rbac.authorization.k8s.io") and as the first line in the actual API documentation. Similarly, Deployment is in group "apps" with version "v1".
In the Role specification you only put the group, and it applies to all versions. So to control access to Deployments, you'd specify apiGroups: [apps], resources: [deployments]
. (This is actually one of the examples in the RBAC documentation.)