3 questions 1. Already created roles and rolebinding can be edited and reflec . . .

Kubernetes
#1

I Malla:
3 questions

  1. Already created roles and rolebinding can be edited and reflect changes immediately even though these resources are not recreated ? How ?
  2. How are certificate created for new user provided in kubeconfig ? (If mentioned in some videos then I might have to rewatch , please suggest which one has this info)
  3. In real life , if I am a developer and user developer is created by administrator. Does the administrator set up kubeconfig personally in my workstation. What if I need to access the cluster from other laptop ? Does the kubeconfig needs to be applied in all workstation that I use ?
#2

Hinodeya:
Read https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/

#3

Fernando Jimenez:

  1. roles and rolebinding are mutable, which means they do not need to be destroyed and recreated.
  2. A certificate request is sent to the administrator and the administrator might use the Certificate API to create a CSR.
  3. In enterprise organizations, they do not use certificates to authenticate, they use other mechanisms like those provided by the cloud vendors, or Open ID Connect. Either way, as a developer you’ll have authorization, and enough access to the cluster and get the information to craft the kubeconfig.
#4

Hinodeya:
https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/

#5

I Malla:
3 more question:

  1. I have these in role manifest.
    rules:
  • apiGroups:
    • apps
      resourceNames:
    • “”
      resources:
    • deployments
      verbs:
    • get
    • create
    • delete

But kubectl get deployments -n blue --as dev-user
kubectl delete deployments test2 -n blue --as dev-user
kubectl create deploy test3 --image=redis -n blue --as dev-user
wont work . Why am i not able to do so ?

2.Also when does apiGroups: [“extensions”] needs to be used ? in last question of rbac practise it is mentioned to use apps and extensions . I understand “apps” is needed cause its deployment but why extensions?

  1. But i can delete test2 deployment if mentioned in resourceName . if nothing kept in resourcename , i cannot do anything . why so
    rules:
  • apiGroups:
    • apps
      resourceNames:
    • test2
      resources:
    • deployments
      verbs:
    • get
    • create
    • delete
#6

Fernando Jimenez:
Resource name is an allow list. If you do not place any thing in it, you are excluding everything.

#7

I Malla:
then how can i not provide any resourcename ?

#8

Fernando Jimenez:
Like you did with test2 or just remove it completely.

#9

I Malla:
remove as in remove the resourceNames:

#10

I Malla:
completely from manifest

#11

Fernando Jimenez:
Yes

#12

Fernando Jimenez:

apiGroups: ["extensions"]

For back compatibility but I bet you it is not necessary where you are testing.

#13

I Malla:
ya i also thought the same

#14

I Malla:
also thank you
it worked after removing resourceNames:

#15

I Malla:
maybe i should search but could you briefly tell what is differencr between verb : get , list , update and watch

#16

Fernando Jimenez:
get, list, update and watch, they all have different capabilities of what you are authorized to perform. A list will not allow you to get, an update will not allow you list or to get, and a watch will allow you to see updates in real time.

#17

I Malla:
get mean >> kubectl get pod test (gets specific pod that’s mentioned only)
list mean >> kubectl get pod (shows all available pod)
update mean >> kubectl edit pod test (allows to edit a pod)
watch >> kubectl get pods -w (allows to see real time changes)
Is this the capability ? or am i wrong ?

#18

Fernando Jimenez:
Notice that it is not only for pods, it is for other objects as well: deploy, rs, ds, svc, nodes, csr, ing, cj, etc…

get (for individual resources), list (for collections, including full object content), watch (for watching an individual resource or collection of resources)
#19

I Malla:
Thanks @Fernando Jimenez noted :pray::pray: