RBAC kubectl 添加/修补现有角色绑定

Question

Update: The reason for patching it to add a role to the rolebinding

Is it possible to add/patch to an existing cluster/rolebinding.

To save on obfuscation, I am thinking it would be nice to be able to add to an existing rolebinding.

Adding/patch to a role - I see as aa no go, but for rolebinding - yes please :-)

Tried this but no success - so if possible, how to?

subjects:
- kind: ServiceAccount
  name: test-service-account # Name is case sensitive
  apiGroup: ""
  namespace: default
  # core/v1 .. rbac.authorization.k8s.io
roleRef:
  kind: Role #this must be Role or ClusterRole
  name: pod-reader-2add # this must match the name of the Role or ClusterRole you wish to bind to
  apiGroup: rbac.authorization.k8s.io

And patched:

kubectl patch rolebinding read-pods --patch "$(cat rolebinding2patch.yaml)"
The RoleBinding "read-pods" is invalid: roleRef: Invalid value: rbac.RoleRef{APIGroup:"rbac.authorization.k8s.io", Kind:"Role", Name:"pod-reader-2add"}: cannot change roleRef

Answer 1

roleRef in role binding is immutable by design. Hence you can not change it.

Here is the validation code:

func ValidateRoleBindingUpdate(roleBinding *rbac.RoleBinding, oldRoleBinding *rbac.RoleBinding) field.ErrorList {
    allErrs := ValidateRoleBinding(roleBinding)
    allErrs = append(allErrs, validation.ValidateObjectMetaUpdate(&roleBinding.ObjectMeta, &oldRoleBinding.ObjectMeta, field.NewPath("metadata"))...)

    if oldRoleBinding.RoleRef != roleBinding.RoleRef {
        allErrs = append(allErrs, field.Invalid(field.NewPath("roleRef"), roleBinding.RoleRef, "cannot change roleRef"))
    }

    return allErrs
}

Check the issue here .

Answer 2

You can patch rolebindings.

$ cat patch.yaml
subjects:
- kind: ServiceAccount
  name: my-new-service-account
  namespace: default

$ kubectl patch rolebinding my-rolebinding --patch "$(cat patch.yaml)"
rolebinding.rbac.authorization.k8s.io/my-rolebinding patched