Search code examples
kuberneteskubernetes-rbac

Any docs on what rights need to be given to do a thing on kubernetes?

Here my first ServiceAccount, ClusterRole, And ClusterRoleBinding

---
# Create namespace
apiVersion: v1
kind: Namespace
metadata:
  name: devops-tools
---
# Create Service Account
apiVersion: v1
kind: ServiceAccount
metadata:
  namespace: devops-tools
  name: bino

---
# Set Secrets for SA
# k8s >= 1.24 need to manualy created
# https://stackoverflow.com/a/72258300
apiVersion: v1
kind: Secret
metadata:
  name: bino-token
  namespace: devops-tools
  annotations:
    kubernetes.io/service-account.name: bino
type: kubernetes.io/service-account-token

---
# Create Cluster Role
# Beware !!! This is Cluster wide FULL RIGHTS
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: devops-tools-role
  namespace: devops-tools
rules:
  - apiGroups:
        - ""
        - apps
        - autoscaling
        - batch
        - extensions
        - policy
        - networking.k8s.io
        - rbac.authorization.k8s.io
    resources:
      - pods
      - componentstatuses
      - configmaps
      - daemonsets
      - deployments
      - events
      - endpoints
      - horizontalpodautoscalers
      - ingress
      - jobs
      - limitranges
      - namespaces
      - nodes
      - pods
      - persistentvolumes
      - persistentvolumeclaims
      - resourcequotas
      - replicasets
      - replicationcontrollers
      - serviceaccounts
      - services
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
# Bind the SA to Cluster Role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: devops-tools-role-binding
subjects:
- namespace: devops-tools
  kind: ServiceAccount
  name: bino
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: devops-tools-role
---

It work when I use to create NameSpace, Deployment, and Service. But it fail (complain about 'have no right') when I try to create kind: Ingress.

Then I try to add

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: devops-tools-role-binding-admin
subjects:
- namespace: devops-tools
  kind: ServiceAccount
  name: bino
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin

and now 'bino' can do all things.

My question is: Is there any docs on what 'apiGroups' and 'resources' need to be assigned so one service account can do some-things (not all-things)?

Sincerely

-bino-

Solution

  • You can run this command to determine the apiGroup of a resource:

    kubectl api-resources

    You will see something like:

    NAME        SHORTNAMES    APIVERSION              NAMESPACED   KIND
ingresses   ing           networking.k8s.io/v1    true         Ingress

    So you would need to add this to the rules of your ClusterRole:

    - apiGroups:
  - "networking.k8s.io/v1"
  resources:
  - "ingresses"
  verbs:
  - "get"