What does the 'UPDATE' Kubernetes RBAC permission do?

Question

I cannot for the life of me find a detailed table of what all the Kubernetes RBAC verbs do. The only resource I see people recommending is this one, which is woefully inadequate.

So I've been working it out by experimentation.

Most are fairly straightforward so far, except for UPDATE. This does not seem to be able to do anything I would expect it to.

Permissions I gave my alias: [GET, UPDATE] on [deployments] in default namespace.

Things I've tried:

• kubectl set image deployment/hello-node echoserver=digitalocean/flask-helloworld --as user
• kubectl edit deploy hello-node --as user
• kubectl apply -f hello-node.yaml --as eks-user

These all failed with error: deployments.apps "hello-node" is forbidden: User "user" cannot patch resource "deployments" in API group "apps" in the namespace "default"

I then tried some rollout commands like:

• k rollout undo deploy hello-node --as user

But they failed because I didn't have replica-set access.

---

TLDR: What is the point of the Kubernetes RBAC update verb?

For that matter, does anyone have a more detailed list of all RBAC verbs?

Answer 1

Following up this, I went to the Kubernetes REST API documentation, which has a long list of all the HTTP API calls you can make to the REST server.

I thought this would help because the one (1) table available describing what the different verbs can do did so by comparing them to HTTP verbs. So the plan was:

1. See what HTTP verb the update permission is equated to.
2. Go to the reference and find an example of using that HTTP verb on a deployment.
3. Test the kubectl equivalent.

So.

What HTTP verb equals the update permission?

PUT.

Example of using PUT for deployments?

Replace Scale: replace scale of the specified Deployment

HTTP Request PUT /apis/apps/v1/namespaces/{namespace}/deployments/{name}/scale

What's the equivalent kubectl command?

Well we're scaling a deployment, so I'm going to say:

kubectl scale deployment hello-node --replicas=2

Can I run this command?

I extended my permissions to deployment/scale first, and then ran it.

Error from server (Forbidden): deployments.apps "hello-node" is forbidden: User "user" cannot patch resource "deployments/scale" in API group "apps" in the namespace "default"

Well. That also needs patch permissions, it would appear.

Despite the fact that the HTTP verb used is PUT according to the API docs, and PUT is equivalent to update according to the one (1) source of any information on these RBAC verbs.

Anyway.

My Conclusion: It appears that update is indeed pretty useless, at least for Deployments.

The RBAC setup seemed promising at first, but honestly it's starting to lose its lustre as I discover more and more edge cases and undocumented mysteries. Access permissions seem like the absolute worst thing to be vague about, or your security ends up being more through obscurity than certainty.