DEVHIDE
Login Or Sign up

How to create kubernetes role for the "deployment" resource?

142 Views Asked by At

i am trying to create a namespace role for my kubernetes cluster that will allow my application using the kubernetes sdk to be able to retrieve the deployments via its service account. I am trying to create a role that will give access to the deployments resource as well as create a role binding to apply that role to my service account.

I have gotten this working manually using localstack by simply running this file (kubectl apply -f myFile.yaml) to create the role:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: test-deployment-pod-reader
rules:
  - apiGroups: [""]
    resources: ["pods", "deployments"]
    verbs: ["get", "watch", "list"]

this successfully creates the role such that the output is:

Resources      Verbs
---------      -----
deployments    [get watch list]
pods           [get watch list]

however when i connect to my REAL cluster we are on the non-default namespace, lets call it namespace test. I am unable to simply apply the file like this due to my restrictions (i guess?) but i know i should be able to create the role since when i run this:

kubectl auth can-i get deployments -n test

it responds with yes. Attempting to create the role with this command succeeds but the resource is incorrect (deployments.app instead of just deployments, i do see this same behavior when trying to create the role this way using localstack/eks as well):

kubectl create role my-role --verb=get --verb=list --verb=watch --resource=pods,deployments -n test # succeeds

kubectl describe role my-role -n test

Resources        Verbs
---------        -----
deployments.apps [get watch list]
pods             [get watch list]

and apparently deployments.apps is NOT enough access to let my api.listNamespacedDeployment request succeed from my application.

Does anyone know how to programatically create the role that has a resource of deploy using the kubectl create role command? i cannot figure out why it keeps adding .apps to the end of deployments

kubernetes rbac k8s-rolebinding kubernetes-java-client
Original Q&A
1

There are 1 best solutions below

0
On

It does seem kubernetes cli was trying to help me out by adding deployments.apps. As some of the comments mention the Deployments kind does belong to the apiGroup of apps. I must have not been giving the correct service account the role or perhaps i was in the wrong namespace. this does appear to work as intended

Related Questions in KUBERNETES

Related Questions in RBAC

Related Questions in K8S-ROLEBINDING

Related Questions in KUBERNETES-JAVA-CLIENT

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.