In spring cloud kubernetes 3.1.1, Why namespace-reader role should grant permissions to nonexistent resources inside the APIGroup?

  Kiến thức lập trình

Spring Cloud Kubernetes 3.11 has this example for creating the namespace-reader role:

  - apiVersion: rbac.authorization.k8s.io/v1
    kind: Role
    metadata:
      namespace: default
      name: namespace-reader
    rules:
      - apiGroups: ["", "extensions", "apps"]
        resources: ["configmaps", "pods", "services", "endpoints", "secrets"]
        verbs: ["get", "list", "watch"]

However, “extensions” and “apps” APIGroup don’t have any of the resources (configmaps, pods, services, endpoints, secrets).

Back to my question, I want to understand the reasoning behind this role granting permissions to nonexistent resources in extensions and apps. What comes to my mind is backward compatibility, maybe?

In my current scenario, if I deploy my app in a Rancher cluster with a cluster-admin role account, I will be able to deploy the role, but not with a less privileged account like “Project Owner”. So basically getting this error:

Error: UPGRADE FAILED: failed to create resource: roles.rbac.authorization.k8s.io "configuration-watcher" is forbidden: user "xxxxxxx" (groups=["oidc_group://users" "system:authenticated" "system:cattle:authenticated"]) is attempting to grant RBAC permissions not currently held:
{APIGroups:["apps"], Resources:["configmaps"], Verbs:["get" "list"]}
{APIGroups:["apps"], Resources:["pods"], Verbs:["get" "list"]}
{APIGroups:["apps"], Resources:["secrets"], Verbs:["get" "list"]}
{APIGroups:["extensions"], Resources:["configmaps"], Verbs:["get" "list"]}
{APIGroups:["extensions"], Resources:["pods"], Verbs:["get" "list"]}
{APIGroups:["extensions"], Resources:["secrets"], Verbs:["get" "list"]}

Want to remove “extensions” and “apps” from the APIGroups in this role, but not sure if this could impact anything else inside Spring Cloud Kubernetes.

Tried:

  1. The deployment works after removing “extensions” and “apps” from apiGroups

Expecting:

  1. Confirm that my changes/removal will not break anything Spring Cloud Kubernetes-related.
  2. Understand if this is needed and if I need to grant more permissions on top of Project Owner permissions.

Versions:
Rancher 2.7.7
RKE2: v1.26.10+rke2r2

  • spring-cloud
  • rancher

New contributor

rpnegro is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

LEAVE A COMMENT