krane icon indicating copy to clipboard operation
krane copied to clipboard

Published 20 hours ago verified publisher icon Shopify

minimum required RBAC permissions

Open dzirg44 opened this issue 5 years ago • 1 comments

Proposal: [Maybe it should be in the documentation]

Could somebody share all permissions to use with ServiceAccount role ? Or maybe does this application need some additional checks ? I've tried with (sorry for mess)

- apiGroups: ["apiextensions.k8s.io"]
  resources: ["customresourcedefinitions"]
  verbs: ["list", "get", "update", "delete"]
- apiGroups: ["networking.k8s.io"]
  resources: ["networkpolicies"]
  verbs: ["list"]
- apiGroups: ["*"]
  resources: ["configmaps"]
  verbs: ["list"]
- apiGroups: ["apps"]
  resources: ["statefulsets"]
  verbs: ["list"]
- apiGroups: ["autoscaling"]
  resources: ["horizontalpodautoscalers"]
  verbs: ["list"]
- apiGroups: ["policy"]
  resources: ["poddisruptionbudgets"]
  verbs: ["list"]
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["list", "get"]
- apiGroups: [""]
  resources: ["services"]
  verbs: ["list", "delete", "update"]
- apiGroups: [""]
  resources: ["resourcequotas"]
  verbs: ["list", "update"]
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["list"]
- apiGroups: ["extensions"]
  resources: ["daemonsets"]
  verbs: ["list"]
- apiGroups: ["extensions"]
  resources: ["ingresses"]
  verbs: ["list","delete"]
- apiGroups: ["batch"]
  resources: ["jobs","cronjobs"]
  verbs: ["list"]
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: ["extensions"]
  resources: ["deployments", "deployments/rollback"]
  verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
  resources: ["pods/exec"]
  verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
  resources: ["pods/log"]
  verbs: ["get","list","watch"]
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get"]

but it seems that it doesn't work i received error [ERROR] Deployment/my-frontend rollout timed out after 438.0s when I try with admin permission all are fine.

dzirg44 avatar Jul 25 '19 09:07 dzirg44

Hi @dzirg44,

Adding a list of RBAC permissions to the README sounds like a good idea. It might be tricky since kubernetes-deploy will create anything you ask it to, but at least having the needed permissions for the resources we explicitly support would be good.

I suspect you're missing permissions on on replicasets in this case..

dturn avatar Jul 25 '19 21:07 dturn