kgunjikar
kgunjikar

Reputation: 475

Kubernetes RBAC roles with resourceName and listing objects

apiVersion: rbac.authorization.k8s.io/v1                                                                                                                    
kind: Role                                                                                                                                                  
metadata:                                                                                                                                                   
  name: p-viewer-role                                                                                                                  
  namespace: pepsi                                                                                                                                  
rules:                                                                                                                                                      
- apiGroups:                                                                                                                                                
  - ""                                                                                                                                    
  resourceNames:                                                                                                                                            
  - p83                                                                                                                                                     
  resources:                                                                                                                                                
  - pods                                                                                                                                                
  verbs:                                                                                                                                                    
  - list                                                                                                                                                    
  - get                                                                                                                                                     
  - watch   

When we use resourceNames in the Roles, the following command works

kubectl get pods -n pepsi p83

returns a proper value. However,

kubectl get pods -n pepsi 

returns forbidden. Why doesn't it list p83

RoleBinding

apiVersion: rbac.authorization.k8s.io/v1                                                                                                                    
kind: RoleBinding                                                                                                                                           
metadata:                                                                                                                                                   
  name: p-viewer-rolebinding                                                                                                          
  namespace: pepsi                                                                                                                                  
roleRef:                                                                                                                                                    
  apiGroup: rbac.authorization.k8s.io                                                                                                                       
  kind: Role                                                                                                                                                
  name: p-viewer-role                                                                                                                  
subjects:                                                                                                                                                   
- apiGroup: rbac.authorization.k8s.io                                                                                                                       
  kind: Group                                                                                                                                               
  name: pepsi-project-viewer                                                                                                                    
  namespace: project                                                                                                                      

Upvotes: 3

Views: 2481

Answers (2)

Abirdcfly
Abirdcfly

Reputation: 403

Short answer:
list(and watch)actually can be restricted by their resource name, and permits list(and watch) requests using a fieldSelector of metadata.name=... to match a single object (for example, /api/v1/namespaces/$ns/configmaps?fieldSelector=metadata.name=foo)

For more details and some tests you can check this link: https://github.com/kubernetes/website/pull/29468

@sftim and @liggitt do offer a lot of help!

Upvotes: 2

Arghya Sadhu
Arghya Sadhu

Reputation: 44687

This is expected behavior. You have defined a role which is scoped to the namespace pepsi to pod resources with specific resourceName p83.

For kubectl get pods -n peps command to work you need to remove the resourceNames p83 from the Role

This kind of advanced validation is best handled by OPA where you can define fine grained policies.

Upvotes: 6

Related Questions