Basavraj Nilkanthe:
kubectl get pv --as michelle
Error from server (Forbidden): persistentvolumes is forbidden: User "michelle" cannot list resource "persistentvolumes" in API group "" at the cluster scope
Fernando Jimenez:
Hello @Basavraj Nilkanthe I just read your other posts as well concerning your test with michelle and persistent volumes.
Perhaps you may have been ignoring all along the warnings given
Warning: resource 'persistentvolumes' is not namespace scoped
and then the error came.
cannot list resource "persistentvolumes" in API group "" at the cluster scope
There are resources like “pv” that are not namespaced, which are meant to be worked with clusterrolebinding. In other words, if a resource is not namespaced and you try to restrict it to a namespace, it’s not going to behave as you expected. Using a rolebinding you are trying to restrict it to a namespace.
Basavraj Nilkanthe:
@Fernando Jimenez ohh yes… It means I can only use cluster role with role binding for namespace resource…?? Like pod/pod/sc… If I use cluster scoped resource here… It won’t work as I can’t make cluster scope specific resource to namespace specific… That’s I can understand now… Thank you for your response…
Fernando Jimenez:
ohh yes.. It means I can only use cluster role with role binding for namespace resource..??
That will work.
If you want to know which resources are not namespaced.
kubectl api-resources --namespaced=false
Basavraj Nilkanthe:
yes I have idea how to check namespaced resource and non namespaced resource… thanks once…
Basavraj Nilkanthe:
Also I have another doubt… It’s about apigroup field and resources field in either role or cluster role… Suppose I have pv and sc resource and you know both fall under different API groups… pv fall under core api group and sc fall under http://storage.k8s.io/v1|storage.k8s.io/v1… But question is can we add like this or we need to create separate object inside rule section…
apiVersion: <http://rbac.authorization.k8s.io/v1|rbac.authorization.k8s.io/v1>
kind: ClusterRole
metadata:
# "namespace" omitted since ClusterRoles are not namespaced
name: storage-admin
rules:
- apiGroups: ["","<http://storage.k8s.io/v1|storage.k8s.io/v1>"]
#
# at the HTTP level, the name of the resource for accessing Secret
# objects is "secrets"
resources: ["pv","sc"]
verbs: ["*"]
Basavraj Nilkanthe:
or it should be like below…
Basavraj Nilkanthe:
---
apiVersion: <http://rbac.authorization.k8s.io/v1|rbac.authorization.k8s.io/v1>
kind: ClusterRole
metadata:
# "namespace" omitted since ClusterRoles are not namespaced
name: storage-admin
rules:
- apiGroups: [""]
#
# at the HTTP level, the name of the resource for accessing Secret
# objects is "secrets"
resources: ["pv"]
verbs: ["*"]
- apiGroups: ["<http://storage.k8s.io/v1|storage.k8s.io/v1>"]
#
# at the HTTP level, the name of the resource for accessing Secret
# objects is "secrets"
resources: ["sc"]
verbs: ["*"]
Basavraj Nilkanthe:
Apology I couldnt get it tested on environment properly
Basavraj Nilkanthe:
so thought to discuss in the forum if you have some idea on this…
Fernando Jimenez:
Place the resource with the proper apiGroup, each in a separate member of the list ( your second example)
The first example, might looks like it works but if you describe it, here’s the result.
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
pv [] [] [*]
sc [] [] [*]
<http://pv.storage.k8s.io/v1|pv.storage.k8s.io/v1> [] [] [*]
<http://sc.storage.k8s.io/v1|sc.storage.k8s.io/v1> [] [] [*]
Basavraj Nilkanthe:
okay,
Basavraj Nilkanthe:
second approach should be fine to follow