Home > Mobile >  how to specify kubernetes RBAC permissions for scaling a specific deployment
how to specify kubernetes RBAC permissions for scaling a specific deployment

Time:05-18

I'm trying to give a group of users permission to scale a specific set of deployments in kubernetes 1.20

I've tried using the API reference doc here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#patch-scale-deployment-v1-apps to set resource names like so:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kubeoperator-cr
rules:
... #irrelevant rules omitted
- apiGroups: ["apps"]
  resources:
    - /namespaces/my-namespace-name/deployments/my-deployment-name/scale
    - deployments/my-deployment-name/scale
  verbs:
    - update
    - patch

This doesn't work:

$ kubectl scale deployments -n my-namespace-name my-deployment-name --replicas 3
Error from server (Forbidden): deployments.apps "my-deployment-name" is forbidden: User "kubeoperatorrole" cannot patch resource "deployments/scale" in API group "apps" in the namespace "my-namespace-name"

The only way I can get the scale command to work is to grant the permission for all deployments (which is not what I want) like this:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kubeoperator-cr
rules:
... #irrelevant rules omitted
- apiGroups: ["apps"]
  resources:
    - deployments/scale
  verbs:
    - update
    - patch
$ kubectl scale deployments -n my-namespace-name my-deployment-name --replicas 3
deployment.apps/my-deployment-name scaled

What is the correct syntax for specifying a specific deployment resource by name, or is this not possible? The deployments I'm targeting cannot be moved to an isolated namespace.

CodePudding user response:

resources isn't what you're looking for, it's resourceNames which has to be a specific object name like resourceNames: [my-deployment-name]. In general this isn't a very good approach, the expectation is that you will segment things by namespace and give them permissions in just one namespace (or two or three or whatever it is).

CodePudding user response:

Try:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kubeoperator-cr
rules:
- apiGroups: ["apps"]
  resources:
  - deployments/scale
  resourceNames: ["my-deployment-name"]  # <-- name of your deployment here
  verbs:
  - update
  - patch
  • Related