I have the following user manifest and I would like to allow myapp-user to get list of all namespaces within the cluster. From what I've looked up I'm supposed to create a ClusterRole, but I can't really find enough details on it. Is there anywhere a list of all the apiGroups and the corresponding resources and verbs?
apiVersion: v1
kind: ServiceAccount
metadata:
name: myapp-user
namespace: myapp
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: myapp-user-role
namespace: myapp
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["batch"]
resources:
- jobs
- cronjobs
verbs: ["*"]
- apiGroups: ["networking.k8s.io"]
resources:
- ingress
verbs: ["*"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: myapp-user
namespace: myapp
subjects:
- kind: ServiceAccount
name: myapp-suer
namespace: myapp
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: myapp-user-roleI though that adding this to the role.rules might help, but unfortunately not
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["GET"]You can get API resources via
kubectl api-resources
NAME SHORTNAMES APIGROUP NAMESPACED KIND
bindings true Binding
componentstatuses cs false ComponentStatus
configmaps cm true ConfigMap
endpoints ep true Endpoints
events ev true Event
limitranges limits true LimitRange
namespaces ns false Namespace
nodes no false Node
persistentvolumeclaims pvc true PersistentVolumeClaim
persistentvolumes pv false PersistentVolumeAnd for creating clusterrole and clusterolebinding below commands should work.
kubectl create clusterrole cr --verb=get,list --resource=namespaces
kubectl create clusterrolebinding crb --clusterrole=cr --serviceaccount=default:defaultAnd then to test it
kubectl auth can-i get ns --as=system:serviceaccount:default:default
kubectl auth can-i list ns --as=system:serviceaccount:default:defaultThanks to @abhishek-jaisingh and @arghya-sadhu answers I was able to figure it out and rewrite the commands as a manifest.
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: myapp-user-cr
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: myapp-user-crb
namespace: myapp
subjects:
- kind: ServiceAccount
name: myapp-user
namespace: myapp
roleRef:
kind: ClusterRole
name: myapp-user-cr
apiGroup: rbac.authorization.k8s.ioYou can list all the resource kinds your cluster supports via this command:
❯❯❯ kubectl api-resources
NAME SHORTNAMES APIGROUP NAMESPACED KIND
bindings true Binding
componentstatuses cs false ComponentStatus
configmaps cm true ConfigMap
endpoints ep true Endpoints
events ev true Event
limitranges limits true LimitRange
namespaces ns false Namespace
nodes no false Node
persistentvolumeclaims pvc true PersistentVolumeClaim
persistentvolumes pv false PersistentVolumeTo see all the actions / verbs supported on these resources, you'll need to lookup kubernetes reference documentation for the version relevant to you, e.g. for CronJobs https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#cronjob-v1beta1-batch