I'm trying to scale up & down deployments from within a pod.
To do that, I've created a service account, clusterrolebinding with the following rbac:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
namespace: backups-scripts
name: backups-roles
rules:
- apiGroups: [""]
resources:
- pods
verbs:
- get
- list
- delete
- watch
- apiGroups: ["apps","extensions"]
resources:
- deployments
- replicasets
- statefulsets
verbs:
- get
- list
- patch
- update
- watch
- scale
When testing with auth can-i
kube say everything is ok:
$ kubectl auth can-i delete deployment --namespace vm-catalogue --as system:serviceaccount:backups-scripts:backups-sa
no - no RBAC policy matched
$ kubectl auth can-i list deployment --namespace vm-catalogue --as system:serviceaccount:backups-scripts:backups-sa
yes
$ kubectl auth can-i scale deployment --namespace vm-catalogue --as system:serviceaccount:backups-scripts:backups-sa
yes
$ kubectl auth can-i update deployment --namespace vm-catalogue --as system:serviceaccount:backups-scripts:backups-sa
yes
$ kubectl auth can-i patch deployment --namespace vm-catalogue --as system:serviceaccount:backups-scripts:backups-sa
yes
But now when within the pod the kubectl command is executed I get the following error:
$ kubectl scale --replicas="$replicas" deployment -n "vm-catalogue" "mysql"
Error from server (Forbidden): deployments.extensions "mysql" is forbidden: User "system:serviceaccount:backups-scripts:backups-sa" cannot get resource "deployments/scale" in API group "extensions" in the namespace "vm-catalogue"
I known the "list" and "get" verbs works because I'm extracting those information within the script (and that part works).
So.. I don't get it, what did I missed?
I think the error message you pasted suggests it well:
$ kubectl scale --replicas="$replicas" deployment -n "vm-catalogue" "mysql"
Error from server (Forbidden): deployments.extensions "mysql" is forbidden: User "system:serviceaccount:backups-scripts:backups-sa" cannot get resource "deployments/scale" in API group "extensions" in the namespace "vm-catalogue"
cannot get resource "deployments/scale"
According to Kubernetes rbac docs #referring to resources
"To represent this in an RBAC role, use a slash (/) to delimit the resource and subresource".
Such as:
- deployments/scale
- deployments/status
- pods/log