Ceci Ivanov:
what are the apiGroups in role definitions? do I need them? and how to define them with the imperative command?
Trung Tran:
APIGroups is the name of the APIGroup that contains the resources. If
multiple API groups are specified, any action requested against one of the
enumerated resources in any API group will be allowed. “” represents the
core API group and “*” represents all API groups.
Trung Tran:
When you create the role with the imperative command, the apiGroups will be auto populated based on the resource you provide.
For example:
kubectl create role test --verb=create --resource=ingresses --dry-run=client -o yaml
apiVersion: http://rbac.authorization.k8s.io/v1|rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: null
name: test
rules:
- apiGroups:
-
http://networking.k8s.io|networking.k8s.io
resources: - ingresses
verbs: - create
http://networking.k8s.io|networking.k8s.io is added to the apiGroups if I set the resource to ingresses , you don’t need to remember the apiGroup name of each k8s object.
For the full list of the apiGroups, use this command: kubectl api-resources
mjv:
also, you can use short versions for the resources which have it like (po->pods,deploy->deployments,netpol->networkpolicy, …) and kubectl will resolve apiGroups part
like in above example
$ k create role test --verb=create --resource=ing --dry-run=client -o yaml
apiVersion: <http://rbac.authorization.k8s.io/v1|rbac.authorization.k8s.io/v1>
kind: Role
metadata:
creationTimestamp: null
name: test
rules:
- apiGroups:
- <http://networking.k8s.io|networking.k8s.io>
resources:
- ingresses
verbs:
- create
mjv:
> what are the apiGroups in role definitions
you can think of them as logical group of resources (<http://networking.k8s.io|networking.k8s.io>-> for ing and netpol, apps-> for *sets,…)
> do I need them?
thus you need them when you want to be precise what you wanna allow like which resources from which apiGroup including the needed action (create,list,watch,get,delete or update)
Ceci Ivanov:
thank you