When defining a ServiceAccount, you tell Kubernetes which apiGroups, resources, and verbs you want to give access to.:
apiVersion: v1
kind: ServiceAccount
...
kind: Role
rules:
- apiGroups: [""]
resources: ["pods", "pods/exec", "persistentvolumeclaims", "services"]
verbs: ["get", "watch", "list", "create", "update", "patch", "delete", "deletecollection"]
Where can you find the full list of options?
Runinng kubectl api-resources -o wide
gives many of them, but does not return subresources like pods/exec
or pods/log
.
Simply execute:
kubectl api-resources --verbs=list --namespaced -o name \
| xargs -n 1 kubectl get --show-kind --ignore-not-found -l <label>=<value> -n <namespace>
The xargs command in UNIX is a command line utility for building an execution pipeline from standard input. Whilst tools like grep can accept standard input as a parameter, many other tools cannot. Using xargs allows tools like echo and rm and mkdir to accept standard input as arguments.
To fetch the logs, use the kubectl logs command, as follows:
kubectl logs your-pod-name -n namespace-name
Sub-resources and verbs that you need to define RBAC roles are not documented anywhere in a static list. They are available in the discovery documentation, i.e. via the API, e.g. /api/apps/v1
.
The following bash script will list all the resources, sub-resources and verbs in the following format:
api_version resource: [verb]
where api-version
is core
for the core resources and should be replaced by ""
(an empty quoted string) in your role definition.
For example, core pods/status: get patch update
.
The script requires [jq][1].
#!/bin/bash
SERVER="localhost:8080"
APIS=$(curl -s $SERVER/apis | jq -r '[.groups | .[].name] | join(" ")')
# do core resources first, which are at a separate api location
api="core"
curl -s $SERVER/api/v1 | jq -r --arg api "$api" '.resources | .[] | "\($api) \(.name): \(.verbs | join(" "))"'
# now do non-core resources
for api in $APIS; do
version=$(curl -s $SERVER/apis/$api | jq -r '.preferredVersion.version')
curl -s $SERVER/apis/$api/$version | jq -r --arg api "$api" '.resources | .[]? | "\($api) \(.name): \(.verbs | join(" "))"'
done
Note that where no verbs are listed via the api, the output will just show the api version and the resource, e.g.
core pods/exec:
In the specific instance of the following resources unfortunately no verbs are shown via the api.
nodes/proxy
pods/attach
pods/exec
pods/portforward
pods/proxy
services/proxy
The supported verbs for these resources are as follows:
nodes/proxy: create delete get patch update
pods/attach: create get
pods/exec: create get
pods/portforward: create get
pods/proxy: create delete get patch update
services/proxy: create delete get patch update
Documentation about logging: kubernetes-logging.
More information you can find here: api-resources.
Useful blog: kubectl-cheat-sheet.