Posts Kubernetes API Groups, Resources, and Verbs
Post
Cancel

Kubernetes API Groups, Resources, and Verbs

I recently talked about how to setup RBAC for a particular scenario. One of the key features of RBAC are roles. Here is what that particular role looked like…

role.yaml

1
2
3
4
5
6
7
8
9
10
11
12
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: modify-pods
rules:
  - apiGroups: [""]
    resources:
      - pods
    verbs:
      - get
      - list
      - delete

There are a few things here that might be confusing at first glance. The straightforward part is probably the resources list. Typically you know what you want to specify permissions on. In this case, pods. But what about apiGroups? Why is it an empty list? I know what I want the permissions to be, but how do you know what verbs are valid?

There is a single command that will give you all of these answers…

1
$ kubectl api-resources -o wide

Here is some sample output from this command (it’s quite verbose unedited)…

You might have to scroll to the right to see all of the output.

1
2
3
4
5
6
7
8
9
10
11
NAME                              SHORTNAMES   APIGROUP                       NAMESPACED   KIND                             VERBS
namespaces                        ns                                          false        Namespace                        [create delete get list patch update watch]
nodes                             no                                          false        Node                             [create delete deletecollection get list patch update watch]
persistentvolumeclaims            pvc                                         true         PersistentVolumeClaim            [create delete deletecollection get list patch update watch]
persistentvolumes                 pv                                          false        PersistentVolume                 [create delete deletecollection get list patch update watch]
pods                              po                                          true         Pod                              [create delete deletecollection get list patch update watch]
services                          svc                                         true         Service                          [create delete get list patch update watch]
deployments                       deploy       apps                           true         Deployment                       [create delete deletecollection get list patch update watch]
replicasets                       rs           apps                           true         ReplicaSet                       [create delete deletecollection get list patch update watch]
statefulsets                      sts          apps                           true         StatefulSet                      [create delete deletecollection get list patch update watch]
jobs                                           batch                          true         Job                              [create delete deletecollection get list patch update watch]

The NAME is the resource that you want to apply permissions to. APIGROUP corresponds to the apiGroups role specification. This tells you what group the resource belongs to. Note that pods (and many other resources) have an empty APIGROUP. This is because they are part of the core API group.

By specifying wide output (-o wide) we get some helpful information about VERBS. These are all of the supported verbs for the resource and what you specify in verbs.

Bonus: SHORTNAMES are really helpful aliases when interacting with resources from kubectl. They save a lot of keystrokes!

Now a quick exercise. Let’s say you want to create a role for creating and deleting deployments. You know that your resource name is deployments. Let’s do some discovery on the rest of the specs…

1
$ kubectl api-resources -o wide | grep -E "^deployments"

The output should look similar to the following…

1
deployments                       deploy       apps                           true         Deployment                       [create delete deletecollection get list patch update watch]

So now we know that apiGroups should include the apps API group. And the verbs we are looking for are create and delete. So our PolicyRule array should resemble the following…

1
2
3
4
5
6
7
8
rules:
  apiGroups:
    - apps
  resources:
    - deployments
  verbs:
    - create
    - delete 

I hope this has helped clarify role specificcations for RBAC!

This post is licensed under CC BY 4.0 by the author.