can you please give some examples of RBAC in named API. I uderstand for core API group we need to leave apiGroups as apiGroups: [""]. For core API groups can we have any other value inside apiGroups other than [""], also in case of named API group, what value we can put inside apiGroups.
And how can we check which resource fall under cope API group and which resource falls under named group?
For the apiGroups, you have the option to leave it [""] and this will take all the apiGroups by defaults, but if you specified it, this will limit the selection of the apiGroups.
The following is an example, the first one is for using [""] which means that could be get , list and watch the all apiGroups for the pods resources and for the deployments resources for only the apiGroups: extensions and apps to be get , list , watch , create , update , patch and delete
- apiGroups: ["*"]
- apiGroups: [“extensions”,“apps”]
- apiGroup: “”
To know the available resources for all apigroups you can use this command:
from the output of this command, you can see the available apiGroups in the “APIVERSION” and the available resources for it “KIND”
sorry for late followup, as I was away for 2 months.
I didn’t get the above output for kubectl api-resources. It says the APIVERSION not the APIGROUP. So how come I know while creating role, this resource belongs to core API group and can be left blank or this resource belongs to apps API group or extensions API group?
- apiGroups: [“what should go here”]
verbs: [“get”, “list”]
you can use
kubectl api-resources to check it.
as I mentioned in my previous answer that I didn’t understand the ouput of kubectl api-resources in terms of APIGROUP info as I can’t find it.
here is the output of kubectl api-resource command, kindly help me to understand how can I define the APIGROUP from this output :
e.g. for deployments it says APIVERSION is apps/v1
can we write :
verbs: [“get”, “list”]
The old version of K8s uses the extensions group and the newer version use apps. So, when you add both, it will be work on any version of K8s.
OK. Understood. So we can use the value under APIVERSION for apiGroups to create the role? Please correct me if I am wrong.
OK, thanks for clarification.