What RBAC role resource type would I use for raw type?
ex. kubectl get --raw "/api/v1/nodes/(your-node-name)/proxy/stats/summary"
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: k8s-ephemeral-storage-metrics-debug
rules:
- apiGroups: [""]
resources: ["*"]
verbs: ["*"]
or go raw API k8s calls?
content, err := clientset.RESTClient().Get().AbsPath(fmt.Sprintf("/api/v1/nodes/%s/proxy/stats/summary", currentNode)).DoRaw(context.Background())
CodePudding user response:
The API documentation names this operation "Get Connect Proxy Path" and more specifically describes the URL as
GET /api/v1/nodes/{name}/proxy/{path}
The .../proxy/...
part is the interesting part. It indicates that you're not using basic CRUD operations on a Node object, but rather accessing some subresource of the Node. The RBAC setup has specific syntax for subresources.
You need to break the URL down into its component parts You can break this down into several component parts:
(no API group)
v
GET /api/v1/nodes/{name}/proxy/{path}
^^^^^ ^^^^^
resource subresource
You then use the resource/subresource
name in the RBAC definition
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: k8s-ephemeral-storage-metrics-debug
rules:
- apiGroups: [""]
resources: ["node/proxy"]
verbs: ["get"]