I'm trying to give a group of users permission to scale a specific set of deployments in kubernetes 1.20
I've tried using the API reference doc here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#patch-scale-deployment-v1-apps to set resource names like so:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kubeoperator-cr
rules:
... #irrelevant rules omitted
- apiGroups: ["apps"]
resources:
- /namespaces/my-namespace-name/deployments/my-deployment-name/scale
- deployments/my-deployment-name/scale
verbs:
- update
- patch
This doesn't work:
$ kubectl scale deployments -n my-namespace-name my-deployment-name --replicas 3
Error from server (Forbidden): deployments.apps "my-deployment-name" is forbidden: User "kubeoperatorrole" cannot patch resource "deployments/scale" in API group "apps" in the namespace "my-namespace-name"
The only way I can get the scale command to work is to grant the permission for all deployments (which is not what I want) like this:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kubeoperator-cr
rules:
... #irrelevant rules omitted
- apiGroups: ["apps"]
resources:
- deployments/scale
verbs:
- update
- patch
$ kubectl scale deployments -n my-namespace-name my-deployment-name --replicas 3
deployment.apps/my-deployment-name scaled
What is the correct syntax for specifying a specific deployment resource by name, or is this not possible? The deployments I'm targeting cannot be moved to an isolated namespace.
resources
isn't what you're looking for, it's resourceNames
which has to be a specific object name like resourceNames: [my-deployment-name]
. In general this isn't a very good approach, the expectation is that you will segment things by namespace and give them permissions in just one namespace (or two or three or whatever it is).