{"id":1491,"date":"2021-04-06T11:26:35","date_gmt":"2021-04-06T11:26:35","guid":{"rendered":"https:\/\/blog.samarthya.me\/wps\/?p=1491"},"modified":"2021-04-06T11:26:37","modified_gmt":"2021-04-06T11:26:37","slug":"clusterrole-refresher","status":"publish","type":"post","link":"https:\/\/blog.samarthya.me\/wps\/2021\/04\/06\/clusterrole-refresher\/","title":{"rendered":"ClusterRole: Refresher"},"content":{"rendered":"\n

In this blog I will use kubectl<\/code> to create a ClusterRole<\/code> and a ClusterRoleBinding<\/code> (refer to link<\/a>)<\/p>\n\n\n\n

{\n    \"kind\": \"ClusterRole\",\n    \"apiVersion\": \"rbac.authorization.k8s.io\/v1\",\n    \"metadata\": {\n        \"name\": \"myclusterrole\",\n        \"creationTimestamp\": null\n    },\n    \"rules\": [\n        {\n            \"verbs\": [\n                \"get\",\n                \"list\",\n                \"watch\"\n            ],\n            \"apiGroups\": [\n                \"\"\n            ],\n            \"resources\": [\n                \"persistentvolumes\"\n            ]\n        }\n    ]\n}<\/code><\/pre>\n\n\n\n
k create clusterrole myclusterrole --verb=get,list,watch --resource=persistentvolumes<\/code><\/pre>\n\n\n\n
k describe clusterrole myclusterrole<\/code><\/pre>\n\n\n\n
You can use a ClusterRole<\/code> to <\/p>
1. define permissions on namespaced<\/code> resources and be granted within individual namespace(s)<\/p>
2. define permissions on namespaced resources and be granted across all namespaces<\/code><\/p>
3. define permissions on cluster-scoped resources<\/p><\/blockquote><\/figure>\n\n\n\n
{\n    \"kind\": \"ClusterRoleBinding\",\n    \"apiVersion\": \"rbac.authorization.k8s.io\/v1beta1\",\n    \"metadata\": {\n        \"name\": \"crb-test\",\n        \"creationTimestamp\": null\n    },\n    \"subjects\": [\n        {\n            \"kind\": \"ServiceAccount\",\n            \"name\": \"default\",\n            \"namespace\": \"samarthya\"\n        }\n    ],\n    \"roleRef\": {\n        \"apiGroup\": \"rbac.authorization.k8s.io\",\n        \"kind\": \"ClusterRole\",\n        \"name\": \"myclusterrole\"\n    }\n}<\/code><\/pre>\n\n\n\n
kubectl create clusterrolebinding crb-test --clusterrole=myclusterrole --serviceaccount=samarthya:default --dry-run -o json<\/code><\/pre>\n\n\n\n
–help<\/h2>\n\n\n\n
Before you execute the clusterrole<\/code> creation you can look at the supported options<\/p>\n\n\n\n
k create clusterrole --help<\/code><\/pre>\n\n\n\n
Create a ClusterRole.\n\nExamples:\n  # Create a ClusterRole named \"pod-reader\" that allows user to perform \"get\", \"watch\" and \"list\" on pods\n  kubectl create clusterrole pod-reader --verb=get,list,watch --resource=pods\n  \n  # Create a ClusterRole named \"pod-reader\" with ResourceName specified\n  kubectl create clusterrole pod-reader --verb=get --resource=pods --resource-name=readablepod\n--resource-name=anotherpod\n  \n  # Create a ClusterRole named \"foo\" with API Group specified\n  kubectl create clusterrole foo --verb=get,list,watch --resource=rs.extensions\n  \n  # Create a ClusterRole named \"foo\" with SubResource specified\n  kubectl create clusterrole foo --verb=get,list,watch --resource=pods,pods\/status\n  \n  # Create a ClusterRole name \"foo\" with NonResourceURL specified\n  kubectl create clusterrole \"foo\" --verb=get --non-resource-url=\/logs\/*\n  \n  # Create a ClusterRole name \"monitoring\" with AggregationRule specified\n  kubectl create clusterrole monitoring --aggregation-rule=\"rbac.example.com\/aggregate-to-monitoring=true\"\n\nOptions:\n      --aggregation-rule=: An aggregation label selector for combining ClusterRoles.\n      --allow-missing-template-keys=true: If true, ignore any errors in templates when a field or map key is missing in\nthe template. Only applies to golang and jsonpath output formats.\n      --dry-run=false: If true, only print the object that would be sent, without sending it.\n      --non-resource-url=[]: A partial url that user should have access to.\n  -o, --output='': Output format. One of:\njson|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-file.\n      --resource=[]: Resource that the rule applies to\n      --resource-name=[]: Resource in the white list that the rule applies to, repeat this flag for multiple items\n      --save-config=false: If true, the configuration of current object will be saved in its annotation. Otherwise, the\nannotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future.\n      --template='': Template string or path to template file to use when -o=go-template, -o=go-template-file. The\ntemplate format is golang templates [http:\/\/golang.org\/pkg\/text\/template\/#pkg-overview].\n      --validate=true: If true, use a schema to validate the input before sending it\n      --verb=[]: Verb that applies to the resources contained in the rule\n\nUsage:\n  kubectl create clusterrole NAME --verb=verb --resource=resource.group [--resource-name=resourcename] [--dry-run]\n[options]\n\nUse \"kubectl options\" for a list of global command-line options (applies to all commands).<\/code><\/pre>\n\n\n\n
\n
kubectl create clusterrolebinding --help<\/code><\/code><\/pre>\n\n\n\n
Create a ClusterRoleBinding for a particular ClusterRole.\n\nExamples:\n  # Create a ClusterRoleBinding for user1, user2, and group1 using the cluster-admin ClusterRole\n  kubectl create clusterrolebinding cluster-admin --clusterrole=cluster-admin --user=user1 --user=user2 --group=group1\n\nOptions:\n      --allow-missing-template-keys=true: If true, ignore any errors in templates when a field or map key is missing in\nthe template. Only applies to golang and jsonpath output formats.\n      --clusterrole='': ClusterRole this ClusterRoleBinding should reference\n      --dry-run='none': Must be \"none\", \"server\", or \"client\". If client strategy, only print the object that would be\nsent, without sending it. If server strategy, submit server-side request without persisting the resource.\n      --field-manager='kubectl-create': Name of the manager used to track field ownership.\n      --group=[]: Groups to bind to the clusterrole\n  -o, --output='': Output format. One of:\njson|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file.\n      --save-config=false: If true, the configuration of current object will be saved in its annotation. Otherwise, the\nannotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future.\n      --serviceaccount=[]: Service accounts to bind to the clusterrole, in the format <namespace>:<name>\n      --template='': Template string or path to template file to use when -o=go-template, -o=go-template-file. The\ntemplate format is golang templates [http:\/\/golang.org\/pkg\/text\/template\/#pkg-overview].\n      --validate=true: If true, use a schema to validate the input before sending it\n\nUsage:\n  kubectl create clusterrolebinding NAME --clusterrole=NAME [--user=username] [--group=groupname]\n[--serviceaccount=namespace:serviceaccountname] [--dry-run=server|client|none] [options]\n\nUse \"kubectl options\" for a list of global command-line options (applies to all commands).<\/code><\/pre>\n<\/div><\/div>\n\n\n\n
Do look at the serviceaccount<\/code><\/p>\n\n\n\n
--serviceaccount=[]: Service accounts to bind to the clusterrole, in the format <namespace>:<name><\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
In this blog I will use kubectl to create a ClusterRole and a ClusterRoleBinding (refer to link) You can use a ClusterRole to 1. define permissions on namespaced resources and be granted within individual namespace(s) 2. define permissions on namespaced resources and be granted across all namespaces 3. define permissions on cluster-scoped resources –help Before […]<\/p>\n","protected":false},"author":2,"featured_media":1453,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"image","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"footnotes":""},"categories":[86],"tags":[119],"class_list":["post-1491","post","type-post","status-publish","format-image","has-post-thumbnail","hentry","category-docker","tag-refresher","post_format-post-format-image"],"_links":{"self":[{"href":"https:\/\/blog.samarthya.me\/wps\/wp-json\/wp\/v2\/posts\/1491","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.samarthya.me\/wps\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.samarthya.me\/wps\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.samarthya.me\/wps\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.samarthya.me\/wps\/wp-json\/wp\/v2\/comments?post=1491"}],"version-history":[{"count":0,"href":"https:\/\/blog.samarthya.me\/wps\/wp-json\/wp\/v2\/posts\/1491\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.samarthya.me\/wps\/wp-json\/wp\/v2\/media\/1453"}],"wp:attachment":[{"href":"https:\/\/blog.samarthya.me\/wps\/wp-json\/wp\/v2\/media?parent=1491"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.samarthya.me\/wps\/wp-json\/wp\/v2\/categories?post=1491"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.samarthya.me\/wps\/wp-json\/wp\/v2\/tags?post=1491"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}