3

I cannot for the life of me find a detailed table of what all the Kubernetes RBAC verbs do. The only resource I see people recommending is this one, which is woefully inadequate.

So I've been working it out by experimentation.

Most are fairly straightforward so far, except for UPDATE. This does not seem to be able to do anything I would expect it to.

Permissions I gave my alias: [GET, UPDATE] on [deployments] in default namespace.

Things I've tried:

  • kubectl set image deployment/hello-node echoserver=digitalocean/flask-helloworld --as user
  • kubectl edit deploy hello-node --as user
  • kubectl apply -f hello-node.yaml --as eks-user

These all failed with error: deployments.apps "hello-node" is forbidden: User "user" cannot patch resource "deployments" in API group "apps" in the namespace "default"

I then tried some rollout commands like:

  • k rollout undo deploy hello-node --as user

But they failed because I didn't have replica-set access.

TLDR: What is the point of the Kubernetes RBAC update verb?

For that matter, does anyone have a more detailed list of all RBAC verbs?

Hebe Hilhorst
  • 323
  • 3
  • 8

2 Answers2

5

Following up this, I went to the Kubernetes REST API documentation, which has a long list of all the HTTP API calls you can make to the REST server.

I thought this would help because the one (1) table available describing what the different verbs can do did so by comparing them to HTTP verbs. So the plan was:

  1. See what HTTP verb the update permission is equated to.
  2. Go to the reference and find an example of using that HTTP verb on a deployment.
  3. Test the kubectl equivalent.

So.

What HTTP verb equals the update permission?

PUT.

Example of using PUT for deployments?

Replace Scale: replace scale of the specified Deployment

HTTP Request PUT /apis/apps/v1/namespaces/{namespace}/deployments/{name}/scale

What's the equivalent kubectl command?

Well we're scaling a deployment, so I'm going to say:

kubectl scale deployment hello-node --replicas=2

Can I run this command?

I extended my permissions to deployment/scale first, and then ran it.

Error from server (Forbidden): deployments.apps "hello-node" is forbidden: User "user" cannot patch resource "deployments/scale" in API group "apps" in the namespace "default"

Well. That also needs patch permissions, it would appear.

Despite the fact that the HTTP verb used is PUT according to the API docs, and PUT is equivalent to update according to the one (1) source of any information on these RBAC verbs.

Anyway.

My Conclusion: It appears that update is indeed pretty useless, at least for Deployments.

The RBAC setup seemed promising at first, but honestly it's starting to lose its lustre as I discover more and more edge cases and undocumented mysteries. Access permissions seem like the absolute worst thing to be vague about, or your security ends up being more through obscurity than certainty.

Hebe Hilhorst
  • 323
  • 3
  • 8
  • Just a thought: it appears the `scale` operation changes just one attribute of a `Deployment` (# of replicas) rather than replacing the entire object (all attributes). So, to my mind, that looks more like a `PATCH` than a `PUT`. So, in this specific instance, Kubernetes seems to be doing the logical thing. In general, I find working with Kubernetes to be wildly over complex and not nearly as stable as I would like. With a lot of trial and error, you can _usually_ stabilize your app. But it always a lot of time and effort. So I am sympathetic with your conclusions. – Charlie Reitzel Sep 02 '21 at 13:45
  • Thanks for the authorization link. The `kubectl auth can-i` command looks useful for verifying your `ClusterRole` and `ClusterRoleBinding` definitions. – Charlie Reitzel Sep 02 '21 at 13:47
0

You can get a dump of the "allowed/supported" verbs using this krew plugin rbac-tool

# Generate a ClusterRole with all the available permissions for core and apps api groups
$ kubectl rbac-tool show  --for-groups=,apps

While it won't tell you exactly the semantics of each verb - it will give yu a sense about the RBAC permissions universe your cluster have.

kruzer
  • 21
  • 1