Read-only ingress resources kubernetes user

Question

I'm trying to grant the default service account in my namespace the ability to read ingress resources. I want to be able to read all ingress resources for the cluster, would that necessitate a ClusterRole? This is the role and binding I've been trying. The kubectl command kubectl auth can-i list ingress -n my-namespace --as=system:serviceaccount:my-namespace:default also returns "no"

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: my-namespace
  name: my-ingress-reader
rules:
- apiGroups: ["", "networking.k8s.io", "networking", "extensions"] # "" indicates the core API group
  resources: ["ingress"]
  verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: my-ingress-reader
  namespace: my-namespace
subjects:
- kind: ServiceAccount
  name: default
  namespace: my-namespace
roleRef:
  kind: Role
  name: my-ingress-reader
  apiGroup: rbac.authorization.k8s.io

Answer 1

your Role rules is using incorrect api-resources that is resources: ["ingress"], it must be resources: ["ingresses"]

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: my-namespace
  name: my-ingress-reader
rules:
- apiGroups: ["", "networking.k8s.io", "networking", "extensions"] # "" indicates the core API group
  resources: ["ingresses"]
  verbs: ["get", "watch", "list"]

to check the correct api-resources, you can use below command

root@controlplane:~# kubectl api-resources | grep -i ingress
ingresses                         ing          extensions/v1beta1                     true         Ingress
ingressclasses                                 networking.k8s.io/v1                   false        IngressClass
ingresses                         ing          networking.k8s.io/v1                   true         Ingress