How to create kubernetes role for the "deployment" resource?

125 views Asked by At

i am trying to create a namespace role for my kubernetes cluster that will allow my application using the kubernetes sdk to be able to retrieve the deployments via its service account. I am trying to create a role that will give access to the deployments resource as well as create a role binding to apply that role to my service account.

I have gotten this working manually using localstack by simply running this file (kubectl apply -f myFile.yaml) to create the role:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: test-deployment-pod-reader
rules:
  - apiGroups: [""]
    resources: ["pods", "deployments"]
    verbs: ["get", "watch", "list"]

this successfully creates the role such that the output is:

Resources      Verbs
---------      -----
deployments    [get watch list]
pods           [get watch list]

however when i connect to my REAL cluster we are on the non-default namespace, lets call it namespace test. I am unable to simply apply the file like this due to my restrictions (i guess?) but i know i should be able to create the role since when i run this:

kubectl auth can-i get deployments -n test

it responds with yes. Attempting to create the role with this command succeeds but the resource is incorrect (deployments.app instead of just deployments, i do see this same behavior when trying to create the role this way using localstack/eks as well):

kubectl create role my-role --verb=get --verb=list --verb=watch --resource=pods,deployments -n test # succeeds

kubectl describe role my-role -n test

Resources        Verbs
---------        -----
deployments.apps [get watch list]
pods             [get watch list]

and apparently deployments.apps is NOT enough access to let my api.listNamespacedDeployment request succeed from my application.

Does anyone know how to programatically create the role that has a resource of deploy using the kubectl create role command? i cannot figure out why it keeps adding .apps to the end of deployments

1

There are 1 answers

0
skyleguy On

It does seem kubernetes cli was trying to help me out by adding deployments.apps. As some of the comments mention the Deployments kind does belong to the apiGroup of apps. I must have not been giving the correct service account the role or perhaps i was in the wrong namespace. this does appear to work as intended