kubernetesrbac

get vs. list in Kubernetes RBAC


What is the difference between the get and list RBAC verbs?

All I could find in the the documentation is this: "get (for individual resources), list (for collections, including full object content)", which I find severely lacking. Is list a superset of get, meaning if you have list permissions can you fetch all the information from get and more? While we're at it, what about watch? Does it only give permissions to read the change stream but not full object?


Solution

  • In practice, you can get all of the information you'd normally get out of get calls through list calls. However, having permission to list a resource doesn't mean get calls will work. You still have to use list calls and extract the information that way.

    watch is a special verb that gives you permission to see updates on resources in real time. Having watch access without list or get is not very helpful because you won't be able to view the resource after it updates. Through kubectl, I was unable to watch a resource without having the get access to that resource.

    To play around with these roles, I'd recommend messing around with roles in a Kubernetes cluster on Katacoda.

    Initial setup to make roles and grant them to (fake) users:

    kubectl create role deployment-getter --verb=get --resource=deployment
    kubectl create role deployment-lister --verb=list --resource=deployment
    kubectl create role deployment-watcher --verb=watch --resource=deployment
    
    kubectl create rolebinding only-get --role=deployment-getter --user=only-get
    kubectl create rolebinding only-list --role=deployment-lister--user=only-list
    kubectl create rolebinding only-watch --role=deployment-watcher--user=only-list
    
    kubectl run nginx --image=nginx # Make a resource to look at
    

    Then you can run kubectl commands as one of the special users to see what limited RBAC permissions look like.

    For example, the following commands show that we can only list resources with the list verb.

    kubectl get deployment --as only-list # Prints out nginx deployment
    kubectl get deployment --as only-get # RBAC error
    kubectl get deployment --as only-watch # RBAC error
    

    And this example shows that we can only get resources with the get verb (but you can get similar information by listing resources too).

    kubectl get deployment nginx --as only-get -o yaml
    # apiVersion: extensions/v1beta1
    # kind: Deployment
    # ...
    kubectl get deployment nginx --as only-list -o yaml # RBAC error
    kubectl get deployment --as only-list -o yaml
    # apiVersion: v1
    # kind: List
    # items:
    # - apiVersion: extensions/v1beta1
    #   kind: Deployment
    #   ...