Zenn
🗂

Role/ClusterRoleの.rules.resourcesは複数形?

2024/01/21に公開
Kubernetes
kubectl
tech

はじめに

そういえば何故podではなくpodsなのか気になったので調べました。

rules:
- apiGroups: [""] # "" はコアのAPIグループを示します
  resources: ["pods"]

https://kubernetes.io/ja/docs/reference/access-authn-authz/rbac/

結論

複数形でないとダメ、というよりはAPIの定義がそうなっているから。
nameの部分が上記のresourcesに相当する部分。

kubectl get --raw /api/v1 | jq '.resources[]'

{
  "name": "bindings",
  "singularName": "binding",
  "namespaced": true,
  "kind": "Binding",
  "verbs": [
    "create"
  ]
}
{
  "name": "componentstatuses",
  "singularName": "componentstatus",
  "namespaced": false,
  "kind": "ComponentStatus",
  "verbs": [
    "get",
    "list"
  ],
  "shortNames": [
    "cs"
  ]
}
{
  "name": "configmaps",
  "singularName": "configmap",
  "namespaced": true,
  "kind": "ConfigMap",
  "verbs": [
    "create",
    "delete",
    "deletecollection",
    "get",
    "list",
    "patch",
    "update",
    "watch"
  ],
  "shortNames": [
    "cm"
  ],
  "storageVersionHash": "qFsyl6wFWjQ="
}
{
  "name": "endpoints",
  "singularName": "endpoints",
  "namespaced": true,
  "kind": "Endpoints",
  "verbs": [
    "create",
    "delete",
    "deletecollection",
    "get",
    "list",
    "patch",
    "update",
    "watch"
  ],
  "shortNames": [
    "ep"
  ],
  "storageVersionHash": "fWeeMqaN/OA="
}
{
  "name": "events",
  "singularName": "event",
  "namespaced": true,
  "kind": "Event",
  "verbs": [
    "create",
    "delete",
    "deletecollection",
    "get",
    "list",
    "patch",
    "update",
    "watch"
  ],
  "shortNames": [
    "ev"
  ],
  "storageVersionHash": "r2yiGXH7wu8="
}
{
  "name": "limitranges",
  "singularName": "limitrange",
  "namespaced": true,
  "kind": "LimitRange",
  "verbs": [
    "create",
    "delete",
    "deletecollection",
    "get",
    "list",
    "patch",
    "update",
    "watch"
  ],
  "shortNames": [
    "limits"
  ],
  "storageVersionHash": "EBKMFVe6cwo="
}
{
  "name": "namespaces",
  "singularName": "namespace",
  "namespaced": false,
  "kind": "Namespace",
  "verbs": [
    "create",
    "delete",
    "get",
    "list",
    "patch",
    "update",
    "watch"
  ],
  "shortNames": [
    "ns"
  ],
  "storageVersionHash": "Q3oi5N2YM8M="
}
...

対応するverbsも上記でわかるのでRole/ClusterRoleを作成するときはちらっと見ておくと良さそう。
ちなみにkubectlはnameでもsingularNameでもどちらを指定してもresourcesの取得が可能。

singularNameRole/ClusterRoleには書けない。

Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:default:test" cannot list resource "pods" in API group "" in the namespace "default"

Discussion