Spring Cloud Kubernetes 3.11 has this example for creating the namespace-reader role:
- apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: namespace-reader
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["configmaps", "pods", "services", "endpoints", "secrets"]
verbs: ["get", "list", "watch"]
However, “extensions” and “apps” APIGroup don’t have any of the resources (configmaps, pods, services, endpoints, secrets).
Back to my question, I want to understand the reasoning behind this role granting permissions to nonexistent resources in extensions and apps. What comes to my mind is backward compatibility, maybe?
In my current scenario, if I deploy my app in a Rancher cluster with a cluster-admin role account, I will be able to deploy the role, but not with a less privileged account like “Project Owner”. So basically getting this error:
Error: UPGRADE FAILED: failed to create resource: roles.rbac.authorization.k8s.io "configuration-watcher" is forbidden: user "xxxxxxx" (groups=["oidc_group://users" "system:authenticated" "system:cattle:authenticated"]) is attempting to grant RBAC permissions not currently held:
{APIGroups:["apps"], Resources:["configmaps"], Verbs:["get" "list"]}
{APIGroups:["apps"], Resources:["pods"], Verbs:["get" "list"]}
{APIGroups:["apps"], Resources:["secrets"], Verbs:["get" "list"]}
{APIGroups:["extensions"], Resources:["configmaps"], Verbs:["get" "list"]}
{APIGroups:["extensions"], Resources:["pods"], Verbs:["get" "list"]}
{APIGroups:["extensions"], Resources:["secrets"], Verbs:["get" "list"]}
Want to remove “extensions” and “apps” from the APIGroups in this role, but not sure if this could impact anything else inside Spring Cloud Kubernetes.
Tried:
- The deployment works after removing “extensions” and “apps” from apiGroups
Expecting:
- Confirm that my changes/removal will not break anything Spring Cloud Kubernetes-related.
- Understand if this is needed and if I need to grant more permissions on top of Project Owner permissions.
Versions:
Rancher 2.7.7
RKE2: v1.26.10+rke2r2