List of Kubernetes RBAC rule verbs

Question

I want to give my application limited access to get the replicas of different statefulsets (and maybe deployment) and if necessary scale them up or down.

I have created ServiceAccount, Rolebinding and Role for this but I can't find the complete list of rule verbs ("get", "watch", "list", "update") and what are their limitations, for example can I use update for scaling or I need another verb? And where can I find a list or table that described these verbs?

My yaml file:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: scaler-role
  namespace: {{ .Release.Namespace  | quote }}
rules:
- apiGroups: ["apps"]
  resources: ["statefulset"]
  verbs: ["get", "watch", "list", "update"]

Answer 1

You can type this command and check VERBS column

kubectl api-resources --api-group=rbac.authorization.k8s.io -o wide

Answer 2

You can get quite a bit of info via this:

kubectl api-resources --sort-by name -o wide

The above api-resources command is explicit and easy to grep. The complete list of possible verbs can be obtained thus:

$ kubectl api-resources --no-headers --sort-by name -o wide | sed 's/.*\[//g' | tr -d "]" | tr " " "\n" | sort | uniq
create
delete
deletecollection
get
list
patch
update
watch

The Resource Operations section of API reference docs (eg https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/) talks a little bit about them but doesn't mention deletecollection (btw: see interesting info about deletecollection; suggests that whenever you give delete, you should give deletecollection permission too, if the resource supports it).

The Determine the Request Verb section of Authorization Overview does briefly mention deletecollection, as well as a half a dozen more verbs (such as escalate as pointed out rightfully by @RoryMcCune) which, unfortunately, do not show up in output of kubectl api-resources -o wide command.

BTW the api-resources command also lists the short names of commands, such as svc for services.

Update May 2023:

Another less user-friendly but more complete way of getting the verbs is by directly querying the API server:

1. in one terminal, start a proxy for the API server; eg kubectl proxy --port=8080
2. in another terminal, use curl on /api/v1 and /apis

For core resources (configmaps, etc):

Use curl -s lo calhost:8080 /api/v1 to get json with the verbs for each core resource type name. Eg (if you have jq)

$ curl -s http://localhost:8080/api/v1 | jq '.resources[] | [.name, (.verbs | join(" "))] | join(" = ")' -r
bindings = create
componentstatuses = get list
configmaps = create delete deletecollection get list patch update watch
endpoints = create delete deletecollection get list patch update watch
...

For the non-core resources (deployments, CRD, etc):

Say you want the verbs for deployments, you know that the API group for deployments is apps. First get the versioned group name for that API using curl -s http://localhost:8080/apis. Eg (if you have jq)

```
$ curl -s http://localhost:8080/apis | jq '.groups[].preferredVersion.groupVersion' -r | grep ^apps
apps/v1
```

Use this to query the API of that group for verbs by using curl -s http://localhost:8080/apis/VERSIONED_API ie in the above example curl -s http://localhost:8080/apis/apps/v1. Eg (if you have jq, the jq is the same),

```
$ curl -s http://localhost:8080/apis/apps/v1 | jq '.resources[] | [.name, (.verbs | join(" "))] | join(" = ")' -r
controllerrevisions = create delete deletecollection get list patch update watch
daemonsets = create delete deletecollection get list patch update watch
daemonsets/status = get patch update
deployments = create delete deletecollection get list patch update watch
deployments/scale = get patch update
deployments/status = get patch update
...
```

BTW the page https://kubernetes.io/docs/tasks/administer-cluster/access-cluster-api/ documents how to use Python, Java etc instead of curl.

I created a kubectl plugin, for the use case where one wants to get the verbs for a specific resource type: https://github.com/schollii/my-devops-lab/blob/main/kubernetes/kubectl-verbs. Eg

$ kubectl verbs configmaps
configmaps = create delete deletecollection get list patch update watch

$ kubectl verbs deployments apps
deployments = create delete deletecollection get list patch update watch
deployments/scale = get patch update
deployments/status = get patch update

The file has instructions to install it as a plugin. It is a simple bash script.

Answer 3

Related to this, to know the full list of verbs for apiGroups and resources on your running cluster, including any additional one introduced with operators or CRD, you can do the following.

Open in a terminal:

kubectl proxy

Then on a different terminal, you can run:

# List all API urls
curl http://localhost:8001/ | yq '.paths[]'

# List all objects and verbs for an API path like /api/v1
curl http://localhost:8001/api/v1 | yq '.resources[] | [{"resources":.name,"verbs":.verbs}]'

If you want a script that lists all in a single place in a nice way, run this:

#!/bin/bash

# Remember to run on another terminal before this script:
# kubectl proxy

set -euo pipefail

# Show Kubernetes server version
echo -n '# '
kubectl version --short 2>/dev/null | grep 'Server'

for url in $(curl -s http://localhost:8001/ | yq '.paths[]' | xargs) ; do 
    [ "$url" == "/metrics" ] && continue
    doc=$(curl -s http://localhost:8001$url)

    # If URL doesn't publish info, skip
    [ "$doc" == "ok" ] && continue

    # Remove from apiGroup prefix (/, /api/v1, /apis/) and suffix ( /v1, /v1beta1)
    apiGroup=$(echo $url | sed 's/\/api\/v1//' | sed 's/\/apis\///' | sed 's/^\///' | sed 's/\/v[0-9]*\(beta[0-9]\+\)\?$//'  )

    # Get permissions and format them nicely in YAML
    yaml=$(echo "$doc" | yq -M '[.resources[] | {"apiGroups":["'$apiGroup'"], "resources":[.name],"verbs":.verbs}] | .. style="double" | .[].* style="flow"' 2>/dev/null ||:);
    
    # TODO: group resources from the same apiGroup with the same verbs together

    # If document is empty, skip it
    [ "$yaml" == "[]" ] && continue

    echo ""
    echo "# $url"
    echo "$yaml"
done

You can also find that script on this gist: https://gist.github.com/vicenteherrera/0bfe2762ecd5794eba65ed19d0d51188

When you execute it, you can save the output on a file:

./list_verbs.sh >verbs.yaml

Here is a brief example of the output:

# /apis/templates.gatekeeper.sh/v1beta1
- apiGroups: ["templates.gatekeeper.sh"]
  resources: ["constrainttemplates"]
  verbs: ["delete", "deletecollection", "get", "list", "patch", "create", "update", "watch"]
- apiGroups: ["templates.gatekeeper.sh"]
  resources: ["constrainttemplates/status"]
  verbs: ["get", "patch", "update"]

Then you can just copy and paste a YAML block from that file to your Kubernetes role, it already is in the format expected for the role.

Answer 4

On Linux/Mac/WSL/etc.

1. Run: kubectl proxy &
2. Run: curl http://127.0.0.1:8001 -k | grep -v 'paths' | grep '"' | sed -e 's/"//g' -e 's/,//g' | sort | while read line ; do kubectl get --raw ${line} ; done | jq | less
3. Search for the api you need in less to see the verbs.

Answer 5

Here is the list of RBAC verbs:

For scaling, I think you'll need write permissions (create, update and patch) along with read permissions (get, list and watch).

Answer 6

A list of verbs can be found here https://kubernetes.io/docs/reference/access-authn-authz/authorization/#review-your-request-attributes

and a brief description can be found here https://kubernetes.io/docs/reference/access-authn-authz/authorization/#determine-the-request-verb

I have a role that I use for updating the docker image tag for deployments which looks like this (I don't use mine to create the deployment, just to patch the image tag)

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: deployer
rules:
- apiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["get", "patch"]