kubernetesgoogle-kubernetes-enginerbac

Is there a kubernetes role definition to allow the command `kubectl rollout restart deploy <deployment>`?


I want a deployment in kubernetes to have the permission to restart itself, from within the cluster.

I know I can create a serviceaccount and bind it to the pod, but I'm missing the name of the most specific permission (i.e. not just allowing '*') to allow for the command

kubectl rollout restart deploy <deployment>

here's what I have, and ??? is what I'm missing

apiVersion: v1
kind: ServiceAccount
metadata:
  name: restart-sa
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: restarter
rules:
  - apiGroups: ["apps"]
    resources: ["deployments"]
    verbs: ["list", "???"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: testrolebinding
  namespace: default
subjects:
  - kind: ServiceAccount
    name: restart-sa
    namespace: default
roleRef:
  kind: Role
  name: restarter
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: Pod
metadata:
  name: example
spec:
  containers:
  - image: nginx
    name: nginx
  serviceAccountName: restart-sa

Solution

  • I believe the following is the minimum permissions required to restart a deployment:

    rules:
     - apiGroups: ["apps", "extensions"]
       resources: ["deployments"]
       resourceNames: [$DEPLOYMENT]
       verbs: ["get", "patch"]