Where can I get a list of Kubernetes API resources and subresources?
Using kubectl api-resources -o wide shows all the ressources, verbs and associated API-group.
$ kubectl api-resources -o wideNAME SHORTNAMES APIGROUP NAMESPACED KIND VERBSbindings true Binding [create]componentstatuses cs false ComponentStatus [get list]configmaps cm true ConfigMap [create delete deletecollection get list patch update watch]endpoints ep true Endpoints [create delete deletecollection get list patch update watch]events ev true Event [create delete deletecollection get list patch update watch]limitranges limits true LimitRange [create delete deletecollection get list patch update watch]namespaces ns false Namespace [create delete get list patch update watch]nodes no false Node [create delete deletecollection get list patch update watch]persistentvolumeclaims pvc true PersistentVolumeClaim [create delete deletecollection get list patch update watch]persistentvolumes pv false PersistentVolume [create delete deletecollection get list patch update watch]pods po true Pod [create delete deletecollection get list patch update watch]statefulsets sts apps true StatefulSet [create delete deletecollection get list patch update watch]meshpolicies authentication.istio.io false MeshPolicy [delete deletecollection get list patch create update watch]policies authentication.istio.io true Policy [delete deletecollection get list patch create update watch]......I guess you can use this to create the list of ressources needed in your RBAC config
The resources, sub-resources and verbs that you need to define RBAC roles are not documented anywhere in a static list. They are available in the discovery documentation, i.e. via the API, e.g. /api/apps/v1.
The following bash script will list all the resources, sub-resources and verbs in the following format:
api_version resource: [verb]where api-version is core for the core resources and should be replaced by "" (an empty quoted string) in your role definition.
For example, core pods/status: get patch update.
The script requires jq.
#!/bin/bashSERVER="localhost:8080"APIS=$(curl -s $SERVER/apis | jq -r '[.groups | .[].name] | join(" ")')# do core resources first, which are at a separate api locationapi="core"curl -s $SERVER/api/v1 | jq -r --arg api "$api" '.resources | .[] | "\($api) \(.name): \(.verbs | join(" "))"'# now do non-core resourcesfor api in $APIS; do version=$(curl -s $SERVER/apis/$api | jq -r '.preferredVersion.version') curl -s $SERVER/apis/$api/$version | jq -r --arg api "$api" '.resources | .[]? | "\($api) \(.name): \(.verbs | join(" "))"'doneWARNING: Note that where no verbs are listed via the api, the output will just show the api version and the resource, e.g.
core pods/exec:In the specific instance of the following resources, no verbs are shown via the api, which is wrong (Kubernetes bug #65421, fixed by #65518):
nodes/proxypods/attachpods/execpods/portforwardpods/proxyservices/proxyThe supported verbs for these resources are as follows:
nodes/proxy: create delete get patch updatepods/attach: create getpods/exec: create getpods/portforward: create getpods/proxy: create delete get patch updateservices/proxy: create delete get patch updateWARNING 2: Sometime Kubernetes checks for additional permissions using specialised verbs that are not listed here. For example, the bind verb is needed for roles and clusterroles resources in the rbac.authorization.k8s.io API group. Details of these specialised verbs are to be found in the docs here.
for kind in `kubectl api-resources | tail +2 | awk '{ print $1 }' | sort`; do kubectl explain $kind ; done | grep -e "KIND:" -e "VERSION:" | awk '{print $2}' | paste -sd' \n'