List of Kubernetes RBAC rule verbs
Here is the list of RBAC verbs:
For scaling, I think you'll need write permissions (create
, update
and patch
) along with read permissions (get
, list
and watch
).
The best way is
kubectl api-resources --sort-by name -o wide
The above api-resources
command is explicit and easy to grep. The complete list of possible verbs can be obtained thus:
$ kubectl api-resources --no-headers --sort-by name -o wide | sed 's/.*\[//g' | tr -d "]" | tr " " "\n" | sort | uniqcreatedeletedeletecollectiongetlistpatchupdatewatch
The Resource Operations section of API reference docs (eg https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/) talks a little bit about them but doesn't mention deletecollection
(btw: see interesting info about deletecollection
; suggests that whenever you give delete
, you should give deletecollection
permission too, if the resource supports it).
The Determine the Request Verb section of Authorization Overview does briefly mention deletecollection
, as well as a half a dozen more verbs (such as escalate
as pointed out rightfully by @RoryMcCune) which, unfortunately, do not show up in output of kubectl api-resources -o wide
command.
BTW the api-resources
command also lists the short names of commands, such as svc
for services
.
A list of verbs can be found here https://kubernetes.io/docs/reference/access-authn-authz/authorization/#review-your-request-attributes
and a brief description can be found here https://kubernetes.io/docs/reference/access-authn-authz/authorization/#determine-the-request-verb
I have a role that I use for updating the docker image tag for deployments which looks like this (I don't use mine to create the deployment, just to patch the image tag)
kind: ClusterRoleapiVersion: rbac.authorization.k8s.io/v1beta1metadata: name: deployerrules:- apiGroups: ["apps"] resources: ["deployments"] verbs: ["get", "patch"]