Kubernetes RBAC apiGroup field in RoleBinding and ClusterRoleBinding

Question

Why we need to write the apiGroup key in this definition again and again , if it is the same every time:

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
 name: web-rw-deployment
 namespace: some-web-app-ns
subjects:
- kind: User
 name: "[email protected]"
 apiGroup: rbac.authorization.k8s.io
- kind: Group
 name: "webdevs"
 apiGroup: rbac.authorization.k8s.io
roleRef:
 kind: Role
 name: web-rw-deployment
 apiGroup: rbac.authorization.k8s.io

• this looks so redudant , that is repeating for everything
• if we need to write it , what are the other values
• if there are not other values for the field RBAC apiGroup , then k8s should assume that value automatically apiGroup: rbac.authorization.k8s.io

this makes the yaml too redundant , is there any way to work around this. can we just skip this key? OR can we declare this somewhere globally.

Answer 1

Good question. The rationale that I can think of is that there may be different APIs in the future that could be supported, for example, rbacv2.authorization.k8s.io and you wouldn't like to restrict references and subjects to just one for compatibility reasons.

My take on this is that it would be nice to have yet another optional global field for RoleBinding besides 'subjects' called something like 'bindingApigroup'. Feel free to open an issue: kind/feature, sig/auth and/or sig/api-machinery.

Also, there might be more rationale/details in the sig-auth design proposals.