Reputation: 475
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: p-viewer-role
namespace: pepsi
rules:
- apiGroups:
- ""
resourceNames:
- p83
resources:
- pods
verbs:
- list
- get
- watch
When we use resourceNames in the Roles, the following command works
kubectl get pods -n pepsi p83
returns a proper value. However,
kubectl get pods -n pepsi
returns forbidden. Why doesn't it list p83
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: p-viewer-rolebinding
namespace: pepsi
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: p-viewer-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: pepsi-project-viewer
namespace: project
Upvotes: 3
Views: 2481
Reputation: 403
Short answer:
list
(and watch
)actually can be restricted by their resource name, and permits list(and watch
) requests using a fieldSelector of metadata.name=...
to match a single object (for example, /api/v1/namespaces/$ns/configmaps?fieldSelector=metadata.name=foo
)
For more details and some tests you can check this link: https://github.com/kubernetes/website/pull/29468
@sftim and @liggitt do offer a lot of help!
Upvotes: 2
Reputation: 44687
This is expected behavior. You have defined a role
which is scoped to the namespace
pepsi to pod
resources
with specific resourceName
p83
.
For kubectl get pods -n peps
command to work you need to remove the resourceNames
p83
from the Role
This kind of advanced validation is best handled by OPA where you can define fine grained policies.
Upvotes: 6