Hi Question regarding CKA / 154 - Practice Test - Cluster Roles and Role Bindin . . .

Kubernetes-Slack Discussions
#1

Jean-Marie Lallemand:
Hi

Question regarding CKA / 154 - Practice Test - Cluster Roles and Role Bindings

Why for ressources “storageclasses” we need to declare :

- apiGroups:["<http://storage.k8s.io|storage.k8s.io>"] ?

While for ressources “persistentvolumes” we keep :

- apiGroups: [""]

If we keep - apiGroups: [“”] for “storageclasses”, kubectl auth can-i get storageclasses --as michelle give us “No”, although rule seems correct:

k describe clusterrole storage-admin
Name:         storage-admin
Labels:       &lt;none&gt;
Annotations:  &lt;none&gt;
PolicyRule:
  Resources          Non-Resource URLs  Resource Names  Verbs
  ---------          -----------------  --------------  -----
  persistentvolumes  []                 []              [get list watch create delete]
  storageclasses     []                 []              [get list watch create delete]

But if we declare apiGroups:[“http://storage.k8s.io|storage.k8s.io”], , kubectl auth can-i get storageclasses --as michelle give us “Yes”

k describe clusterrole storage-admin
Name:         storage-admin
Labels:       &lt;none&gt;
Annotations:  &lt;none&gt;
PolicyRule:
  Resources                      Non-Resource URLs  Resource Names  Verbs
  ---------                      -----------------  --------------  -----
  persistentvolumes              []                 []              [get watch list create delete]
  <http://storageclasses.storage.k8s.io|storageclasses.storage.k8s.io>  []                 []              [get watch list create delete]

Thanks for your help
Regards

#2

Hasan Alsaedi:
check api-resouces to get the the answer

#3

Hasan Alsaedi:
see the difference here: controlplane $ kubectl api-resources | grep -i storageclass
storageclasses sc http://storage.k8s.io/v1|storage.k8s.io/v1 false StorageClass

controlplane $ kubectl api-resources | grep -i persistentvolumes
persistentvolumes pv v1 false PersistentVolume

#4

Hasan Alsaedi:
StorageClass APIVERSION set as http://storage.k8s.io/v1|storage.k8s.io/v1 where is PV set as only v1

#5

Hasan Alsaedi:
To see the full list run “kubectl api-resources”

#6

Jean-Marie Lallemand:
Thanks.
Yes I saw this point.
And I just understood that when we keep apiGroups [“”] only the core API group is adressed

But I do not understand then why without indicating http://storage.k8s.io/v1|storage.k8s.io/v1, the PolicyRule gives us nonetheless :

PolicyRule:
  Resources          Non-Resource URLs  Resource Names  Verbs
  ---------          -----------------  --------------  -----
  persistentvolumes  []                 []              [get list watch create delete]
  storageclasses     []                 []              [get list watch create delete]

As storageclasses is not part of the core API group, the PolicyRule should not be accepted when we keep apiGroups [“”] for storageclasses ressources …
I deduce that when a resource does not belong to the core API, it is necessary to consistently inform the appropriate API group

#7

Hasan Alsaedi:
It’s not new that sometimes the yaml config will run/apply but with the wrong config. There are many examples of k8s admins by mistake specify something is not right but it run anyway and cause issues.

#8

unnivkn:
Hi @Jean-Marie Lallemand fyi:

image.png
image.png673×544 121 KB

image.png
image.png1201×634 276 KB