why i can't create pods a a user with enough permissions in kubernetes

Question

I am following a tutorial regarding RBAC, I think I understand the main idea but I don't get why this is failing:

kc auth can-i "*" pod/compute --as deploy@test.com
no

kc create clusterrole deploy --verb="*" --resource=pods --resource-name=compute
clusterrole.rbac.authorization.k8s.io/deploy created

kc create clusterrolebinding deploy --user=deploy@test.com --clusterrole=deploy
clusterrolebinding.rbac.authorization.k8s.io/deploy created

# this tells me that deploy@test.com should be able to create a pod named compute
kc auth can-i "*" pod/compute --as deploy@test.com
yes

# but it fails when trying to do so
kc run compute --image=nginx --as deploy@test.com
Error from server (Forbidden): pods is forbidden: User "deploy@test.com" cannot create resource "pods" in API group "" in the namespace "default"

the namespace name should be irrelevant afaik, since this is a clusterrole.

Answer 1

Restricting the create permission to a specific resource name is not supported.

This is from the Kubernetes documentation:

Note: You cannot restrict create or deletecollection requests by resourceName. For create, this limitation is because the object name is not known at authorization time.

This means the ClusterRole you created doesn't allow you to create any Pod. You need to have another ClusterRole assigned where you don't specify the resource name.