what are the apiGroups in role definitions? do I need them? and how to define them with the imperative command?
APIGroups is the name of the APIGroup that contains the resources. If
multiple API groups are specified, any action requested against one of the
enumerated resources in any API group will be allowed. “” represents the
core API group and “*” represents all API groups.
When you create the role with the imperative command, the apiGroups will be auto populated based on the resource you provide.
kubectl create role test --verb=create --resource=ingresses --dry-run=client -o yaml
http://networking.k8s.io|networking.k8s.io is added to the
apiGroups if I set the resource to
ingresses , you don’t need to remember the apiGroup name of each k8s object.
For the full list of the apiGroups, use this command:
also, you can use short versions for the resources which have it like (po->pods,deploy->deployments,netpol->networkpolicy, …) and kubectl will resolve apiGroups part
like in above example
$ k create role test --verb=create --resource=ing --dry-run=client -o yaml apiVersion: <http://rbac.authorization.k8s.io/v1|rbac.authorization.k8s.io/v1> kind: Role metadata: creationTimestamp: null name: test rules: - apiGroups: - <http://networking.k8s.io|networking.k8s.io> resources: - ingresses verbs: - create
> what are the apiGroups in role definitions
you can think of them as logical group of resources (
<http://networking.k8s.io|networking.k8s.io> → for
apps → for
> do I need them?
thus you need them when you want to be precise what you wanna allow like which
resources from which
apiGroup including the needed action (
create,list,watch,get,delete or update)