Home > Enterprise >  Expected behavior for ClusterRole with two rules mentioning the same resource
Expected behavior for ClusterRole with two rules mentioning the same resource

Time:04-29

I'm working with RBAC on an Openshift cluster. I was wondering what is the expected behavior for applying a ClusterRole that has two rules which reference the same resource. E.g:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ocp-cluster-role
rules:
- apiGroups:
  - ""
  resources:
  - Pods
  verbs:
  - get
- apiGroups:
  - ""
  resources:
  - Pods
  verbs:
  - create
  - delete

Will an associated ServiceAccount be able to create, delete, get Pods, Or will they override one another?

CodePudding user response:

The subject will have the all the permissions granted thru multiple bindings to roles.

CodePudding user response:

As the cluster role contains get , create & delete permissions for pod resources so it will be applied all together to a service account for rolebinding and won’t override each other.

  • Related