Where can I get a list of Kubernetes API resources and subresources?

Question

I am trying to configure Kubernetes RBAC in the least-permissive way possible and I want to scope my roles to specific resources and subresouces. I've dug through the docs and can't find a concise list of resources and their subresources.

I'm particularly interested in a the subresource that governs a part of a Deployment's spec--the container image.

Answer 1

Using kubectl api-resources -o wide shows all the ressources, verbs and associated API-group.

$ kubectl api-resources -o wide NAME                              SHORTNAMES     APIGROUP                       NAMESPACED   KIND                             VERBS bindings                                                                        true         Binding                          [create] componentstatuses                 cs                                            false        ComponentStatus                  [get list] configmaps                        cm                                            true         ConfigMap                        [create delete deletecollection get list patch update watch] endpoints                         ep                                            true         Endpoints                        [create delete deletecollection get list patch update watch] events                            ev                                            true         Event                            [create delete deletecollection get list patch update watch] limitranges                       limits                                        true         LimitRange                       [create delete deletecollection get list patch update watch] namespaces                        ns                                            false        Namespace                        [create delete get list patch update watch] nodes                             no                                            false        Node                             [create delete deletecollection get list patch update watch] persistentvolumeclaims            pvc                                           true         PersistentVolumeClaim            [create delete deletecollection get list patch update watch] persistentvolumes                 pv                                            false        PersistentVolume                 [create delete deletecollection get list patch update watch] pods                              po                                            true         Pod                              [create delete deletecollection get list patch update watch] statefulsets                      sts            apps                           true         StatefulSet                      [create delete deletecollection get list patch update watch] meshpolicies                                     authentication.istio.io        false        MeshPolicy                       [delete deletecollection get list patch create update watch] policies                                         authentication.istio.io        true         Policy                           [delete deletecollection get list patch create update watch] ... ... 

I guess you can use this to create the list of ressources needed in your RBAC config

Answer 2

The resources, sub-resources and verbs that you need to define RBAC roles are not documented anywhere in a static list. They are available in the discovery documentation, i.e. via the API, e.g. /api/apps/v1.

The following bash script will list all the resources, sub-resources and verbs in the following format:

api_version resource: [verb] 

where api-version is core for the core resources and should be replaced by "" (an empty quoted string) in your role definition.

For example, core pods/status: get patch update.

The script requires jq.

#!/bin/bash SERVER="localhost:8080"  APIS=$(curl -s $SERVER/apis | jq -r '[.groups | .[].name] | join(" ")')  # do core resources first, which are at a separate api location api="core" curl -s $SERVER/api/v1 | jq -r --arg api "$api" '.resources | .[] | "\($api) \(.name): \(.verbs | join(" "))"'  # now do non-core resources for api in $APIS; do     version=$(curl -s $SERVER/apis/$api | jq -r '.preferredVersion.version')     curl -s $SERVER/apis/$api/$version | jq -r --arg api "$api" '.resources | .[]? | "\($api) \(.name): \(.verbs | join(" "))"' done 

WARNING: Note that where no verbs are listed via the api, the output will just show the api version and the resource, e.g.

core pods/exec: 

In the specific instance of the following resources, no verbs are shown via the api, which is wrong (Kubernetes bug #65421, fixed by #65518):

nodes/proxy pods/attach pods/exec pods/portforward pods/proxy services/proxy 

The supported verbs for these resources are as follows:

nodes/proxy: create delete get patch update pods/attach: create get pods/exec: create get pods/portforward: create get pods/proxy: create delete get patch update services/proxy: create delete get patch update 

WARNING 2: Sometime Kubernetes checks for additional permissions using specialised verbs that are not listed here. For example, the bind verb is needed for roles and clusterroles resources in the rbac.authorization.k8s.io API group. Details of these specialised verbs are to be found in the docs here.