Scale kubernetes deployment within a pod - permission denied?

2/24/2022

I'm trying to scale up & down deployments from within a pod.
To do that, I've created a service account, clusterrolebinding with the following rbac:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  namespace: backups-scripts
  name: backups-roles
rules:
  - apiGroups: [""]
    resources:
      - pods
    verbs:
      - get
      - list
      - delete
      - watch
  - apiGroups: ["apps","extensions"]
    resources:
      - deployments
      - replicasets
      - statefulsets
    verbs:
      - get
      - list
      - patch
      - update
      - watch
      - scale

When testing with auth can-i kube say everything is ok:

$ kubectl auth can-i delete deployment  --namespace vm-catalogue --as system:serviceaccount:backups-scripts:backups-sa
no - no RBAC policy matched
$ kubectl auth can-i list deployment  --namespace vm-catalogue --as system:serviceaccount:backups-scripts:backups-sa
yes
$ kubectl auth can-i scale deployment  --namespace vm-catalogue --as system:serviceaccount:backups-scripts:backups-sa
yes
$ kubectl auth can-i update deployment  --namespace vm-catalogue --as system:serviceaccount:backups-scripts:backups-sa
yes
$ kubectl auth can-i patch deployment  --namespace vm-catalogue --as system:serviceaccount:backups-scripts:backups-sa
yes

But now when within the pod the kubectl command is executed I get the following error:

$ kubectl scale --replicas="$replicas" deployment -n "vm-catalogue" "mysql"
 Error from server (Forbidden): deployments.extensions "mysql" is forbidden: User "system:serviceaccount:backups-scripts:backups-sa" cannot get resource "deployments/scale" in API group "extensions" in the namespace "vm-catalogue"

I known the "list" and "get" verbs works because I'm extracting those information within the script (and that part works).

So.. I don't get it, what did I missed?

-- APLU
kubernetes
rbac

1 Answer

2/24/2022

I think the error message you pasted suggests it well:

$ kubectl scale --replicas="$replicas" deployment -n "vm-catalogue" "mysql"
 Error from server (Forbidden): deployments.extensions "mysql" is forbidden: User "system:serviceaccount:backups-scripts:backups-sa" cannot get resource "deployments/scale" in API group "extensions" in the namespace "vm-catalogue"

cannot get resource "deployments/scale"

According to Kubernetes rbac docs #referring to resources

"To represent this in an RBAC role, use a slash (/) to delimit the resource and subresource".

Such as:

- deployments/scale
- deployments/status
- pods/log
-- YwH
Source: StackOverflow