I Malla:
3 more question:
- I have these in role manifest.
rules:
- apiGroups:
- apps
resourceNames:
- “”
resources:
- deployments
verbs:
- get
- create
- delete
But kubectl get deployments -n blue --as dev-user
kubectl delete deployments test2 -n blue --as dev-user
kubectl create deploy test3 --image=redis -n blue --as dev-user
wont work . Why am i not able to do so ?
2.Also when does apiGroups: [“extensions”] needs to be used ? in last question of rbac practise it is mentioned to use apps and extensions . I understand “apps” is needed cause its deployment but why extensions?
- But i can delete test2 deployment if mentioned in resourceName . if nothing kept in resourcename , i cannot do anything . why so
rules:
- apiGroups:
- apps
resourceNames:
- test2
resources:
- deployments
verbs:
- get
- create
- delete
Fernando Jimenez:
Resource name is an allow list. If you do not place any thing in it, you are excluding everything.
I Malla:
then how can i not provide any resourcename ?
Fernando Jimenez:
Like you did with test2 or just remove it completely.
I Malla:
remove as in remove the resourceNames:
I Malla:
completely from manifest
Fernando Jimenez:
apiGroups: ["extensions"]
For back compatibility but I bet you it is not necessary where you are testing.
I Malla:
ya i also thought the same
I Malla:
also thank you
it worked after removing resourceNames:
I Malla:
maybe i should search but could you briefly tell what is differencr between verb : get , list , update and watch
Fernando Jimenez:
get, list, update and watch, they all have different capabilities of what you are authorized to perform. A list will not allow you to get, an update will not allow you list or to get, and a watch will allow you to see updates in real time.
I Malla:
get mean >> kubectl get pod test (gets specific pod that’s mentioned only)
list mean >> kubectl get pod (shows all available pod)
update mean >> kubectl edit pod test (allows to edit a pod)
watch >> kubectl get pods -w (allows to see real time changes)
Is this the capability ? or am i wrong ?
Fernando Jimenez:
Notice that it is not only for pods, it is for other objects as well: deploy, rs, ds, svc, nodes, csr, ing, cj, etc…
get (for individual resources), list (for collections, including full object content), watch (for watching an individual resource or collection of resources)
I Malla:
Thanks @Fernando Jimenez noted