Kubernetes Role should grant access to all resources but it ignores some resources

Question

The role namespace-limited should have full access to all resources (of the specified API groups) inside of a namespace. My Role manifest looks like this:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: namespace-limited
  namespace: restricted-xample
rules:
- apiGroups:
  - core
  - apps
  - batch
  - networking.k8s.io
  resources: ["*"] # asterisk to grant access to all resources of the specified api groups
  verbs: ["*"]

I associated the Role to a ServiceAccount using a RoleBinding but unfortunately this ServiceAccount has no access to Pod, Service, Secret, ConfigMap and Endpoint Resources. These resources are all part of the core API group. All the other common Workloads work though. Why is that?

Arghya Sadhu · Accepted Answer

The core group, also referred to as the legacy group, is at the REST path /api/v1 and uses apiVersion: v1

You need to use "" for core API group.

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: restricted-xample
  name: namespace-limited
rules:
- apiGroups: ["", "apps", "batch", "networking.k8s.io"] # "" indicates the core API group
  resources: ["*"]
  verbs: ["*"]

To test the permission of the service account use below commands

kubectl auth can-i get pods --as=system:serviceaccount:restricted-xample:default -n restricted-xample 
kubectl auth can-i get secrets --as=system:serviceaccount:restricted-xample:default -n restricted-xample 
kubectl auth can-i get configmaps --as=system:serviceaccount:restricted-xample:default -n restricted-xample
kubectl auth can-i get endpoints --as=system:serviceaccount:restricted-xample:default -n restricted-xample

Kubernetes Role should grant access to all resources but it ignores some resources

Answers (2)

Related Questions