Reputation: 13
I'm trying to give a group of users permission to scale a specific set of deployments in kubernetes 1.20
I've tried using the API reference doc here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#patch-scale-deployment-v1-apps to set resource names like so:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kubeoperator-cr
rules:
... #irrelevant rules omitted
- apiGroups: ["apps"]
resources:
- /namespaces/my-namespace-name/deployments/my-deployment-name/scale
- deployments/my-deployment-name/scale
verbs:
- update
- patch
This doesn't work:
$ kubectl scale deployments -n my-namespace-name my-deployment-name --replicas 3
Error from server (Forbidden): deployments.apps "my-deployment-name" is forbidden: User "kubeoperatorrole" cannot patch resource "deployments/scale" in API group "apps" in the namespace "my-namespace-name"
The only way I can get the scale command to work is to grant the permission for all deployments (which is not what I want) like this:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kubeoperator-cr
rules:
... #irrelevant rules omitted
- apiGroups: ["apps"]
resources:
- deployments/scale
verbs:
- update
- patch
$ kubectl scale deployments -n my-namespace-name my-deployment-name --replicas 3
deployment.apps/my-deployment-name scaled
What is the correct syntax for specifying a specific deployment resource by name, or is this not possible? The deployments I'm targeting cannot be moved to an isolated namespace.
Upvotes: 0
Views: 3716
Reputation: 15568
Try:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kubeoperator-cr
rules:
- apiGroups: ["apps"]
resources:
- deployments/scale
resourceNames: ["my-deployment-name"] # <-- name of your deployment here
verbs:
- update
- patch
Upvotes: 2
Reputation: 54267
resources
isn't what you're looking for, it's resourceNames
which has to be a specific object name like resourceNames: [my-deployment-name]
. In general this isn't a very good approach, the expectation is that you will segment things by namespace and give them permissions in just one namespace (or two or three or whatever it is).
Upvotes: 1