how to specify kubernetes RBAC permissions for scaling a specific deployment

2k views Asked by At

I'm trying to give a group of users permission to scale a specific set of deployments in kubernetes 1.20

I've tried using the API reference doc here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#patch-scale-deployment-v1-apps to set resource names like so:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kubeoperator-cr
rules:
... #irrelevant rules omitted
- apiGroups: ["apps"]
  resources:
    - /namespaces/my-namespace-name/deployments/my-deployment-name/scale
    - deployments/my-deployment-name/scale
  verbs:
    - update
    - patch

This doesn't work:

$ kubectl scale deployments -n my-namespace-name my-deployment-name --replicas 3
Error from server (Forbidden): deployments.apps "my-deployment-name" is forbidden: User "kubeoperatorrole" cannot patch resource "deployments/scale" in API group "apps" in the namespace "my-namespace-name"

The only way I can get the scale command to work is to grant the permission for all deployments (which is not what I want) like this:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kubeoperator-cr
rules:
... #irrelevant rules omitted
- apiGroups: ["apps"]
  resources:
    - deployments/scale
  verbs:
    - update
    - patch
$ kubectl scale deployments -n my-namespace-name my-deployment-name --replicas 3
deployment.apps/my-deployment-name scaled

What is the correct syntax for specifying a specific deployment resource by name, or is this not possible? The deployments I'm targeting cannot be moved to an isolated namespace.

2

There are 2 answers

2
coderanger On BEST ANSWER

resources isn't what you're looking for, it's resourceNames which has to be a specific object name like resourceNames: [my-deployment-name]. In general this isn't a very good approach, the expectation is that you will segment things by namespace and give them permissions in just one namespace (or two or three or whatever it is).

0
gohm'c On

Try:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kubeoperator-cr
rules:
- apiGroups: ["apps"]
  resources:
  - deployments/scale
  resourceNames: ["my-deployment-name"]  # <-- name of your deployment here
  verbs:
  - update
  - patch