RBAC on named API

06ashishrawat · April 12, 2021, 5:15am

Hello,

can you please give some examples of RBAC in named API. I uderstand for core API group we need to leave apiGroups as apiGroups: [“”]. For core API groups can we have any other value inside apiGroups other than [“”], also in case of named API group, what value we can put inside apiGroups.

And how can we check which resource fall under cope API group and which resource falls under named group?

Thanks
Ashish

Ayman · April 15, 2021, 9:59am

Hello @06ashishrawat

For the apiGroups, you have the option to leave it [“”] and this will take all the apiGroups by defaults, but if you specified it, this will limit the selection of the apiGroups.
The following is an example, the first one is for using [“”] which means that could be get , list and watch the all apiGroups for the pods resources and for the deployments resources for only the apiGroups: extensions and apps to be get , list , watch , create , update , patch and delete

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: get-pods
rules:

apiGroups: [“*”]
resources: [“pods”]
verbs: [“list”,“get”,“watch”]
apiGroups: [“extensions”,“apps”]
resources: [“deployments”]
verbs: [“get”,“list”,“watch”,“create”,“update”,“patch”,“delete”]

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: magalix-get-pods
subjects:

apiGroup: “”
kind: User
name: magalix
roleRef:
apiGroup: “”
kind: Role
name: get-pods

To know the available resources for all apigroups you can use this command:
kubectl api-resources
from the output of this command, you can see the available apiGroups in the “APIVERSION” and the available resources for it “KIND”

06ashishrawat · June 16, 2021, 4:44am

Hello,

sorry for late followup, as I was away for 2 months.

I didn’t get the above output for kubectl api-resources. It says the APIVERSION not the APIGROUP. So how come I know while creating role, this resource belongs to core API group and can be left blank or this resource belongs to apps API group or extensions API group?

kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: default
name: thing
rules:

apiGroups: [“what should go here”]
resources: [“deployments”]
verbs: [“get”, “list”]
resourceNames: []

Thanks
Ashish

Ayman · June 16, 2021, 12:33pm

you can use kubectl api-resources to check it.

06ashishrawat · June 16, 2021, 2:11pm

Hello,

as I mentioned in my previous answer that I didn’t understand the ouput of kubectl api-resources in terms of APIGROUP info as I can’t find it.

here is the output of kubectl api-resource command, kindly help me to understand how can I define the APIGROUP from this output :

e.g. for deployments it says APIVERSION is apps/v1

can we write :

rules:
apiGroups: [“apps/v1”]
resources: [“deployments”]
verbs: [“get”, “list”]
resourceNames: []

Thanks
Ashish

Ayman · June 16, 2021, 6:34pm

The old version of K8s uses the extensions group and the newer version use apps. So, when you add both, it will be work on any version of K8s.

06ashishrawat · June 17, 2021, 3:15am

OK. Understood. So we can use the value under APIVERSION for apiGroups to create the role? Please correct me if I am wrong.

Ayman · June 18, 2021, 9:33am

@06ashishrawat Yes exactly

06ashishrawat · June 26, 2021, 3:51pm

OK, thanks for clarification.

–Ashish