Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Allow Kubernetes user list/get namespaces

I have the following user manifest and I would like to allow myapp-user to get list of all namespaces within the cluster. From what I've looked up I'm supposed to create a ClusterRole, but I can't really find enough details on it. Is there anywhere a list of all the apiGroups and the corresponding resources and verbs?

apiVersion: v1
kind: ServiceAccount
metadata:
  name: myapp-user
  namespace: myapp

---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: myapp-user-role
  namespace: myapp
rules:
- apiGroups: ["", "extensions", "apps"]
  resources: ["*"]
  verbs: ["*"]
- apiGroups: ["batch"]
  resources:
  - jobs
  - cronjobs
  verbs: ["*"]
- apiGroups: ["networking.k8s.io"]
  resources:
  - ingress
  verbs: ["*"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: myapp-user
  namespace: myapp
subjects:
- kind: ServiceAccount
  name: myapp-suer
  namespace: myapp
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: myapp-user-role

I though that adding this to the role.rules might help, but unfortunately not

- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["GET"]
like image 889
MrPsycho Avatar asked Jan 01 '23 04:01

MrPsycho


1 Answers

You can get API resources via

kubectl api-resources

NAME                              SHORTNAMES   APIGROUP                       NAMESPACED   KIND
bindings                                                                      true         Binding
componentstatuses                 cs                                          false        ComponentStatus
configmaps                        cm                                          true         ConfigMap
endpoints                         ep                                          true         Endpoints
events                            ev                                          true         Event
limitranges                       limits                                      true         LimitRange
namespaces                        ns                                          false        Namespace
nodes                             no                                          false        Node
persistentvolumeclaims            pvc                                         true         PersistentVolumeClaim
persistentvolumes                 pv                                          false        PersistentVolume

And for creating clusterrole and clusterolebinding below commands should work.

kubectl create clusterrole cr --verb=get,list --resource=namespaces

kubectl create clusterrolebinding crb --clusterrole=cr --serviceaccount=default:default

And then to test it

kubectl auth can-i get ns --as=system:serviceaccount:default:default
kubectl auth can-i list ns --as=system:serviceaccount:default:default
like image 170
Arghya Sadhu Avatar answered Jan 04 '23 00:01

Arghya Sadhu