Kube.netes RBAC 规则动词列表

Question

I want to give my application limited access to get the replicas of different statefulsets (and maybe deployment) and if necessary scale them up or down.

I have created ServiceAccount, Rolebinding and Role for this but I can't find the complete list of rule verbs ("get", "watch", "list", "update") and what are their limitations, for example can I use update for scaling or I need another verb? And where can I find a list or table that described these verbs?

My yaml file:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: scaler-role
  namespace: {{ .Release.Namespace  | quote }}
rules:
- apiGroups: ["apps"]
  resources: ["statefulset"]
  verbs: ["get", "watch", "list", "update"]

Answer 1

Here is the list of RBAC verbs:

For scaling, I think you'll need write permissions ( create , update and patch ) along with read permissions ( get , list and watch ).

Answer 2

The best way is

kubectl api-resources --sort-by name -o wide

The above api-resources command is explicit and easy to grep. The complete list of possible verbs can be obtained thus:

$ kubectl api-resources --no-headers --sort-by name -o wide | sed 's/.*\[//g' | tr -d "]" | tr " " "\n" | sort | uniq
create
delete
deletecollection
get
list
patch
update
watch

The Resource Operations section of API reference docs (eg https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/ ) talks a little bit about them but doesn't mention deletecollection (btw: see interesting info about deletecollection ; suggests that whenever you give delete , you should give deletecollection permission too, if the resource supports it).

The Determine the Request Verb section of Authorization Overview does briefly mention deletecollection , as well as a half a dozen more verbs (such as escalate as pointed out rightfully by @RoryMcCune) which, unfortunately, do not show up in output of kubectl api-resources -o wide command.

BTW the api-resources command also lists the short names of commands, such as svc for services .

Answer 3

A list of verbs can be found here https://kubernetes.io/docs/reference/access-authn-authz/authorization/#review-your-request-attributes

and a brief description can be found here https://kubernetes.io/docs/reference/access-authn-authz/authorization/#determine-the-request-verb

I have a role that I use for updating the docker image tag for deployments which looks like this (I don't use mine to create the deployment, just to patch the image tag)

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: deployer
rules:
- apiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["get", "patch"]

Answer 4

On Linux/Mac/WSL/etc.

1. Run: kubectl proxy &
2. Run: curl http://127.0.0.1:8001 -k | grep -v 'paths' | grep '"' | sed -e 's/"//g' -e 's/,//g' | sort | while read line ; do kubectl get --raw ${line} ; done | jq | less
3. Search for the api you need in less to see the verbs.

Answer 5

Related to this, to know the full list of verbs for apiGroups and resources on your running cluster , including any additional one introduced with operators or CRD, you can do the following.

Open in a terminal:

kubectl proxy

Then on a different terminal, you can run:

# List all API urls
curl http://localhost:8001/ | yq '.paths[]'

# List all objects and verbs for an API path like /api/v1
curl http://localhost:8001/api/v1 | yq '.resources[] | [{"resources":.name,"verbs":.verbs}]'

If you want a script that lists all in a single place in a nice way, run this:

#!/bin/bash

# Remember to run on another terminal before this script:
# kubectl proxy

set -euo pipefail

# Show Kubernetes server version
echo -n '# '
kubectl version --short 2>/dev/null | grep 'Server'

for url in $(curl -s http://localhost:8001/ | yq '.paths[]' | xargs) ; do 
    [ "$url" == "/metrics" ] && continue
    doc=$(curl -s http://localhost:8001$url)

    # If URL doesn't publish info, skip
    [ "$doc" == "ok" ] && continue

    # Remove from apiGroup prefix (/, /api/v1, /apis/) and suffix ( /v1, /v1beta1)
    apiGroup=$(echo $url | sed 's/\/api\/v1//' | sed 's/\/apis\///' | sed 's/^\///' | sed 's/\/v[0-9]*\(beta[0-9]\+\)\?$//'  )

    # Get permissions and format them nicely in YAML
    yaml=$(echo "$doc" | yq -M '[.resources[] | {"apiGroups":["'$apiGroup'"], "resources":[.name],"verbs":.verbs}] | .. style="double" | .[].* style="flow"' 2>/dev/null ||:);
    
    # TODO: group resources from the same apiGroup with the same verbs together

    # If document is empty, skip it
    [ "$yaml" == "[]" ] && continue

    echo ""
    echo "# $url"
    echo "$yaml"
done

You can also find that script on this gist: https://gist.github.com/vicenteherrera/0bfe2762ecd5794eba65ed19d0d51188

When you execute it, you can save the output on a file:

./list_verbs.sh >verbs.yaml

Here is a brief example of the output:

# /apis/templates.gatekeeper.sh/v1beta1
- apiGroups: ["templates.gatekeeper.sh"]
  resources: ["constrainttemplates"]
  verbs: ["delete", "deletecollection", "get", "list", "patch", "create", "update", "watch"]
- apiGroups: ["templates.gatekeeper.sh"]
  resources: ["constrainttemplates/status"]
  verbs: ["get", "patch", "update"]

Then you can just copy and paste a YAML block from that file to your Kube.netes role, it already is in the format expected for the role.