i am trying to create a namespace role for my kubernetes cluster that will allow my application using the kubernetes sdk to be able to retrieve the deployments via its service account. I am trying to create a role that will give access to the deployments resource as well as create a role binding to apply that role to my service account.
I have gotten this working manually using localstack by simply running this file (kubectl apply -f myFile.yaml) to create the role:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: test-deployment-pod-reader
rules:
- apiGroups: [""]
resources: ["pods", "deployments"]
verbs: ["get", "watch", "list"]
this successfully creates the role such that the output is:
Resources Verbs
--------- -----
deployments [get watch list]
pods [get watch list]
however when i connect to my REAL cluster we are on the non-default namespace, lets call it namespace test
. I am unable to simply apply the file like this due to my restrictions (i guess?) but i know i should be able to create the role since when i run this:
kubectl auth can-i get deployments -n test
it responds with yes
. Attempting to create the role with this command succeeds but the resource is incorrect (deployments.app instead of just deployments, i do see this same behavior when trying to create the role this way using localstack/eks as well):
kubectl create role my-role --verb=get --verb=list --verb=watch --resource=pods,deployments -n test # succeeds
kubectl describe role my-role -n test
Resources Verbs
--------- -----
deployments.apps [get watch list]
pods [get watch list]
and apparently deployments.apps is NOT enough access to let my api.listNamespacedDeployment
request succeed from my application.
Does anyone know how to programatically create the role that has a resource of deploy
using the kubectl create role
command? i cannot figure out why it keeps adding .apps
to the end of deployments
It does seem kubernetes cli was trying to help me out by adding deployments.apps. As some of the comments mention the Deployments kind does belong to the apiGroup of apps. I must have not been giving the correct service account the role or perhaps i was in the wrong namespace. this does appear to work as intended