This is the multi-page printable view of this section. Click here to print.
Authorization Resources
1 - LocalSubjectAccessReview
apiVersion: authorization.k8s.io/v1
import "k8s.io/api/authorization/v1"
LocalSubjectAccessReview
LocalSubjectAccessReview checks whether or not a user or group can perform an action in a given namespace. Having a namespace scoped resource makes it much easier to grant namespace scoped policy that includes permissions checking.
apiVersion: authorization.k8s.io/v1
kind: LocalSubjectAccessReview
metadata (ObjectMeta)
Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
spec (SubjectAccessReviewSpec), required
Spec holds information about the request being evaluated. spec.namespace must be equal to the namespace you made the request against. If empty, it is defaulted.
status (SubjectAccessReviewStatus)
Status is filled in by the server and indicates whether the request is allowed or not
Operations
create
create a LocalSubjectAccessReview
HTTP Request
POST /apis/authorization.k8s.io/v1/namespaces/{namespace}/localsubjectaccessreviews
Parameters
namespace (in path): string, required
body: LocalSubjectAccessReview, required
dryRun (in query): string
fieldManager (in query): string
fieldValidation (in query): string
pretty (in query): string
Response
200 (LocalSubjectAccessReview): OK
201 (LocalSubjectAccessReview): Created
202 (LocalSubjectAccessReview): Accepted
401: Unauthorized
2 - SelfSubjectAccessReview
apiVersion: authorization.k8s.io/v1
import "k8s.io/api/authorization/v1"
SelfSubjectAccessReview
SelfSubjectAccessReview checks whether or the current user can perform an action. Not filling in a spec.namespace means "in all namespaces". Self is a special case, because users should always be able to check whether they can perform an action
apiVersion: authorization.k8s.io/v1
kind: SelfSubjectAccessReview
metadata (ObjectMeta)
Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
spec (SelfSubjectAccessReviewSpec), required
Spec holds information about the request being evaluated. user and groups must be empty
status (SubjectAccessReviewStatus)
Status is filled in by the server and indicates whether the request is allowed or not
SelfSubjectAccessReviewSpec
SelfSubjectAccessReviewSpec is a description of the access request. Exactly one of ResourceAuthorizationAttributes and NonResourceAuthorizationAttributes must be set
nonResourceAttributes (NonResourceAttributes)
NonResourceAttributes describes information for a non-resource access request
NonResourceAttributes includes the authorization attributes available for non-resource requests to the Authorizer interface
nonResourceAttributes.path (string)
Path is the URL path of the request
nonResourceAttributes.verb (string)
Verb is the standard HTTP verb
resourceAttributes (ResourceAttributes)
ResourceAuthorizationAttributes describes information for a resource access request
ResourceAttributes includes the authorization attributes available for resource requests to the Authorizer interface
resourceAttributes.fieldSelector (FieldSelectorAttributes)
fieldSelector describes the limitation on access based on field. It can only limit access, not broaden it.
This field is alpha-level. To use this field, you must enable the
AuthorizeWithSelectors
feature gate (disabled by default).*FieldSelectorAttributes indicates a field limited access. Webhook authors are encouraged to * ensure rawSelector and requirements are not both set * consider the requirements field if set * not try to parse or consider the rawSelector field if set. This is to avoid another CVE-2022-2880 (i.e. getting different systems to agree on how exactly to parse a query is not something we want), see https://www.oxeye.io/resources/golang-parameter-smuggling-attack for more details. For the SubjectAccessReview endpoints of the kube-apiserver: * If rawSelector is empty and requirements are empty, the request is not limited. * If rawSelector is present and requirements are empty, the rawSelector will be parsed and limited if the parsing succeeds. * If rawSelector is empty and requirements are present, the requirements should be honored * If rawSelector is present and requirements are present, the request is invalid.
resourceAttributes.fieldSelector.rawSelector (string)
rawSelector is the serialization of a field selector that would be included in a query parameter. Webhook implementations are encouraged to ignore rawSelector. The kube-apiserver's *SubjectAccessReview will parse the rawSelector as long as the requirements are not present.
resourceAttributes.fieldSelector.requirements ([]FieldSelectorRequirement)
Atomic: will be replaced during a merge
requirements is the parsed interpretation of a field selector. All requirements must be met for a resource instance to match the selector. Webhook implementations should handle requirements, but how to handle them is up to the webhook. Since requirements can only limit the request, it is safe to authorize as unlimited request if the requirements are not understood.
FieldSelectorRequirement is a selector that contains values, a key, and an operator that relates the key and values.
resourceAttributes.fieldSelector.requirements.key (string), required
key is the field selector key that the requirement applies to.
resourceAttributes.fieldSelector.requirements.operator (string), required
operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. The list of operators may grow in the future.
resourceAttributes.fieldSelector.requirements.values ([]string)
Atomic: will be replaced during a merge
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.
resourceAttributes.group (string)
Group is the API Group of the Resource. "*" means all.
resourceAttributes.labelSelector (LabelSelectorAttributes)
labelSelector describes the limitation on access based on labels. It can only limit access, not broaden it.
This field is alpha-level. To use this field, you must enable the
AuthorizeWithSelectors
feature gate (disabled by default).*LabelSelectorAttributes indicates a label limited access. Webhook authors are encouraged to * ensure rawSelector and requirements are not both set * consider the requirements field if set * not try to parse or consider the rawSelector field if set. This is to avoid another CVE-2022-2880 (i.e. getting different systems to agree on how exactly to parse a query is not something we want), see https://www.oxeye.io/resources/golang-parameter-smuggling-attack for more details. For the SubjectAccessReview endpoints of the kube-apiserver: * If rawSelector is empty and requirements are empty, the request is not limited. * If rawSelector is present and requirements are empty, the rawSelector will be parsed and limited if the parsing succeeds. * If rawSelector is empty and requirements are present, the requirements should be honored * If rawSelector is present and requirements are present, the request is invalid.
resourceAttributes.labelSelector.rawSelector (string)
rawSelector is the serialization of a field selector that would be included in a query parameter. Webhook implementations are encouraged to ignore rawSelector. The kube-apiserver's *SubjectAccessReview will parse the rawSelector as long as the requirements are not present.
resourceAttributes.labelSelector.requirements ([]LabelSelectorRequirement)
Atomic: will be replaced during a merge
requirements is the parsed interpretation of a label selector. All requirements must be met for a resource instance to match the selector. Webhook implementations should handle requirements, but how to handle them is up to the webhook. Since requirements can only limit the request, it is safe to authorize as unlimited request if the requirements are not understood.
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
resourceAttributes.labelSelector.requirements.key (string), required
key is the label key that the selector applies to.
resourceAttributes.labelSelector.requirements.operator (string), required
operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
resourceAttributes.labelSelector.requirements.values ([]string)
Atomic: will be replaced during a merge
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
resourceAttributes.name (string)
Name is the name of the resource being requested for a "get" or deleted for a "delete". "" (empty) means all.
resourceAttributes.namespace (string)
Namespace is the namespace of the action being requested. Currently, there is no distinction between no namespace and all namespaces "" (empty) is defaulted for LocalSubjectAccessReviews "" (empty) is empty for cluster-scoped resources "" (empty) means "all" for namespace scoped resources from a SubjectAccessReview or SelfSubjectAccessReview
resourceAttributes.resource (string)
Resource is one of the existing resource types. "*" means all.
resourceAttributes.subresource (string)
Subresource is one of the existing resource types. "" means none.
resourceAttributes.verb (string)
Verb is a kubernetes resource API verb, like: get, list, watch, create, update, delete, proxy. "*" means all.
resourceAttributes.version (string)
Version is the API Version of the Resource. "*" means all.
Operations
create
create a SelfSubjectAccessReview
HTTP Request
POST /apis/authorization.k8s.io/v1/selfsubjectaccessreviews
Parameters
body: SelfSubjectAccessReview, required
dryRun (in query): string
fieldManager (in query): string
fieldValidation (in query): string
pretty (in query): string
Response
200 (SelfSubjectAccessReview): OK
201 (SelfSubjectAccessReview): Created
202 (SelfSubjectAccessReview): Accepted
401: Unauthorized
3 - SelfSubjectRulesReview
apiVersion: authorization.k8s.io/v1
import "k8s.io/api/authorization/v1"
SelfSubjectRulesReview
SelfSubjectRulesReview enumerates the set of actions the current user can perform within a namespace. The returned list of actions may be incomplete depending on the server's authorization mode, and any errors experienced during the evaluation. SelfSubjectRulesReview should be used by UIs to show/hide actions, or to quickly let an end user reason about their permissions. It should NOT Be used by external systems to drive authorization decisions as this raises confused deputy, cache lifetime/revocation, and correctness concerns. SubjectAccessReview, and LocalAccessReview are the correct way to defer authorization decisions to the API server.
apiVersion: authorization.k8s.io/v1
kind: SelfSubjectRulesReview
metadata (ObjectMeta)
Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
spec (SelfSubjectRulesReviewSpec), required
Spec holds information about the request being evaluated.
status (SubjectRulesReviewStatus)
Status is filled in by the server and indicates the set of actions a user can perform.
SubjectRulesReviewStatus contains the result of a rules check. This check can be incomplete depending on the set of authorizers the server is configured with and any errors experienced during evaluation. Because authorization rules are additive, if a rule appears in a list it's safe to assume the subject has that permission, even if that list is incomplete.
status.incomplete (boolean), required
Incomplete is true when the rules returned by this call are incomplete. This is most commonly encountered when an authorizer, such as an external authorizer, doesn't support rules evaluation.
status.nonResourceRules ([]NonResourceRule), required
Atomic: will be replaced during a merge
NonResourceRules is the list of actions the subject is allowed to perform on non-resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.
NonResourceRule holds information that describes a rule for the non-resource
status.nonResourceRules.verbs ([]string), required
Atomic: will be replaced during a merge
Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options. "*" means all.
status.nonResourceRules.nonResourceURLs ([]string)
Atomic: will be replaced during a merge
NonResourceURLs is a set of partial urls that a user should have access to. s are allowed, but only as the full, final step in the path. "" means all.
status.resourceRules ([]ResourceRule), required
Atomic: will be replaced during a merge
ResourceRules is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.
ResourceRule is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.
status.resourceRules.verbs ([]string), required
Atomic: will be replaced during a merge
Verb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy. "*" means all.
status.resourceRules.apiGroups ([]string)
Atomic: will be replaced during a merge
APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed. "*" means all.
status.resourceRules.resourceNames ([]string)
Atomic: will be replaced during a merge
ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. "*" means all.
status.resourceRules.resources ([]string)
Atomic: will be replaced during a merge
Resources is a list of resources this rule applies to. "" means all in the specified apiGroups. "/foo" represents the subresource 'foo' for all resources in the specified apiGroups.
status.evaluationError (string)
EvaluationError can appear in combination with Rules. It indicates an error occurred during rule evaluation, such as an authorizer that doesn't support rule evaluation, and that ResourceRules and/or NonResourceRules may be incomplete.
SelfSubjectRulesReviewSpec
SelfSubjectRulesReviewSpec defines the specification for SelfSubjectRulesReview.
namespace (string)
Namespace to evaluate rules for. Required.
Operations
create
create a SelfSubjectRulesReview
HTTP Request
POST /apis/authorization.k8s.io/v1/selfsubjectrulesreviews
Parameters
body: SelfSubjectRulesReview, required
dryRun (in query): string
fieldManager (in query): string
fieldValidation (in query): string
pretty (in query): string
Response
200 (SelfSubjectRulesReview): OK
201 (SelfSubjectRulesReview): Created
202 (SelfSubjectRulesReview): Accepted
401: Unauthorized
4 - SubjectAccessReview
apiVersion: authorization.k8s.io/v1
import "k8s.io/api/authorization/v1"
SubjectAccessReview
SubjectAccessReview checks whether or not a user or group can perform an action.
apiVersion: authorization.k8s.io/v1
kind: SubjectAccessReview
metadata (ObjectMeta)
Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
spec (SubjectAccessReviewSpec), required
Spec holds information about the request being evaluated
status (SubjectAccessReviewStatus)
Status is filled in by the server and indicates whether the request is allowed or not
SubjectAccessReviewSpec
SubjectAccessReviewSpec is a description of the access request. Exactly one of ResourceAuthorizationAttributes and NonResourceAuthorizationAttributes must be set
extra (map[string][]string)
Extra corresponds to the user.Info.GetExtra() method from the authenticator. Since that is input to the authorizer it needs a reflection here.
groups ([]string)
Atomic: will be replaced during a merge
Groups is the groups you're testing for.
nonResourceAttributes (NonResourceAttributes)
NonResourceAttributes describes information for a non-resource access request
NonResourceAttributes includes the authorization attributes available for non-resource requests to the Authorizer interface
nonResourceAttributes.path (string)
Path is the URL path of the request
nonResourceAttributes.verb (string)
Verb is the standard HTTP verb
resourceAttributes (ResourceAttributes)
ResourceAuthorizationAttributes describes information for a resource access request
ResourceAttributes includes the authorization attributes available for resource requests to the Authorizer interface
resourceAttributes.fieldSelector (FieldSelectorAttributes)
fieldSelector describes the limitation on access based on field. It can only limit access, not broaden it.
This field is alpha-level. To use this field, you must enable the
AuthorizeWithSelectors
feature gate (disabled by default).*FieldSelectorAttributes indicates a field limited access. Webhook authors are encouraged to * ensure rawSelector and requirements are not both set * consider the requirements field if set * not try to parse or consider the rawSelector field if set. This is to avoid another CVE-2022-2880 (i.e. getting different systems to agree on how exactly to parse a query is not something we want), see https://www.oxeye.io/resources/golang-parameter-smuggling-attack for more details. For the SubjectAccessReview endpoints of the kube-apiserver: * If rawSelector is empty and requirements are empty, the request is not limited. * If rawSelector is present and requirements are empty, the rawSelector will be parsed and limited if the parsing succeeds. * If rawSelector is empty and requirements are present, the requirements should be honored * If rawSelector is present and requirements are present, the request is invalid.
resourceAttributes.fieldSelector.rawSelector (string)
rawSelector is the serialization of a field selector that would be included in a query parameter. Webhook implementations are encouraged to ignore rawSelector. The kube-apiserver's *SubjectAccessReview will parse the rawSelector as long as the requirements are not present.
resourceAttributes.fieldSelector.requirements ([]FieldSelectorRequirement)
Atomic: will be replaced during a merge
requirements is the parsed interpretation of a field selector. All requirements must be met for a resource instance to match the selector. Webhook implementations should handle requirements, but how to handle them is up to the webhook. Since requirements can only limit the request, it is safe to authorize as unlimited request if the requirements are not understood.
FieldSelectorRequirement is a selector that contains values, a key, and an operator that relates the key and values.
resourceAttributes.fieldSelector.requirements.key (string), required
key is the field selector key that the requirement applies to.
resourceAttributes.fieldSelector.requirements.operator (string), required
operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. The list of operators may grow in the future.
resourceAttributes.fieldSelector.requirements.values ([]string)
Atomic: will be replaced during a merge
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.
resourceAttributes.group (string)
Group is the API Group of the Resource. "*" means all.
resourceAttributes.labelSelector (LabelSelectorAttributes)
labelSelector describes the limitation on access based on labels. It can only limit access, not broaden it.
This field is alpha-level. To use this field, you must enable the
AuthorizeWithSelectors
feature gate (disabled by default).*LabelSelectorAttributes indicates a label limited access. Webhook authors are encouraged to * ensure rawSelector and requirements are not both set * consider the requirements field if set * not try to parse or consider the rawSelector field if set. This is to avoid another CVE-2022-2880 (i.e. getting different systems to agree on how exactly to parse a query is not something we want), see https://www.oxeye.io/resources/golang-parameter-smuggling-attack for more details. For the SubjectAccessReview endpoints of the kube-apiserver: * If rawSelector is empty and requirements are empty, the request is not limited. * If rawSelector is present and requirements are empty, the rawSelector will be parsed and limited if the parsing succeeds. * If rawSelector is empty and requirements are present, the requirements should be honored * If rawSelector is present and requirements are present, the request is invalid.
resourceAttributes.labelSelector.rawSelector (string)
rawSelector is the serialization of a field selector that would be included in a query parameter. Webhook implementations are encouraged to ignore rawSelector. The kube-apiserver's *SubjectAccessReview will parse the rawSelector as long as the requirements are not present.
resourceAttributes.labelSelector.requirements ([]LabelSelectorRequirement)
Atomic: will be replaced during a merge
requirements is the parsed interpretation of a label selector. All requirements must be met for a resource instance to match the selector. Webhook implementations should handle requirements, but how to handle them is up to the webhook. Since requirements can only limit the request, it is safe to authorize as unlimited request if the requirements are not understood.
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
resourceAttributes.labelSelector.requirements.key (string), required
key is the label key that the selector applies to.
resourceAttributes.labelSelector.requirements.operator (string), required
operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
resourceAttributes.labelSelector.requirements.values ([]string)
Atomic: will be replaced during a merge
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
resourceAttributes.name (string)
Name is the name of the resource being requested for a "get" or deleted for a "delete". "" (empty) means all.
resourceAttributes.namespace (string)
Namespace is the namespace of the action being requested. Currently, there is no distinction between no namespace and all namespaces "" (empty) is defaulted for LocalSubjectAccessReviews "" (empty) is empty for cluster-scoped resources "" (empty) means "all" for namespace scoped resources from a SubjectAccessReview or SelfSubjectAccessReview
resourceAttributes.resource (string)
Resource is one of the existing resource types. "*" means all.
resourceAttributes.subresource (string)
Subresource is one of the existing resource types. "" means none.
resourceAttributes.verb (string)
Verb is a kubernetes resource API verb, like: get, list, watch, create, update, delete, proxy. "*" means all.
resourceAttributes.version (string)
Version is the API Version of the Resource. "*" means all.
uid (string)
UID information about the requesting user.
user (string)
User is the user you're testing for. If you specify "User" but not "Groups", then is it interpreted as "What if User were not a member of any groups
SubjectAccessReviewStatus
SubjectAccessReviewStatus
allowed (boolean), required
Allowed is required. True if the action would be allowed, false otherwise.
denied (boolean)
Denied is optional. True if the action would be denied, otherwise false. If both allowed is false and denied is false, then the authorizer has no opinion on whether to authorize the action. Denied may not be true if Allowed is true.
evaluationError (string)
EvaluationError is an indication that some error occurred during the authorization check. It is entirely possible to get an error and be able to continue determine authorization status in spite of it. For instance, RBAC can be missing a role, but enough roles are still present and bound to reason about the request.
reason (string)
Reason is optional. It indicates why a request was allowed or denied.
Operations
create
create a SubjectAccessReview
HTTP Request
POST /apis/authorization.k8s.io/v1/subjectaccessreviews
Parameters
body: SubjectAccessReview, required
dryRun (in query): string
fieldManager (in query): string
fieldValidation (in query): string
pretty (in query): string
Response
200 (SubjectAccessReview): OK
201 (SubjectAccessReview): Created
202 (SubjectAccessReview): Accepted
401: Unauthorized
5 - ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
import "k8s.io/api/rbac/v1"
ClusterRole
ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata (ObjectMeta)
Standard object's metadata.
aggregationRule (AggregationRule)
AggregationRule is an optional field that describes how to build the Rules for this ClusterRole. If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be stomped by the controller.
AggregationRule describes how to locate ClusterRoles to aggregate into the ClusterRole
aggregationRule.clusterRoleSelectors ([]LabelSelector)
Atomic: will be replaced during a merge
ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules. If any of the selectors match, then the ClusterRole's permissions will be added
rules ([]PolicyRule)
Atomic: will be replaced during a merge
Rules holds all the PolicyRules for this ClusterRole
PolicyRule holds information that describes a policy rule, but does not contain information about who the rule applies to or which namespace the rule applies to.
rules.apiGroups ([]string)
Atomic: will be replaced during a merge
APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups.
rules.resources ([]string)
Atomic: will be replaced during a merge
Resources is a list of resources this rule applies to. '*' represents all resources.
rules.verbs ([]string), required
Atomic: will be replaced during a merge
Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.
rules.resourceNames ([]string)
Atomic: will be replaced during a merge
ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.
rules.nonResourceURLs ([]string)
Atomic: will be replaced during a merge
NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"), but not both.
ClusterRoleList
ClusterRoleList is a collection of ClusterRoles
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleList
metadata (ListMeta)
Standard object's metadata.
items ([]ClusterRole), required
Items is a list of ClusterRoles
Operations
get
read the specified ClusterRole
HTTP Request
GET /apis/rbac.authorization.k8s.io/v1/clusterroles/{name}
Parameters
name (in path): string, required
name of the ClusterRole
pretty (in query): string
Response
200 (ClusterRole): OK
401: Unauthorized
list
list or watch objects of kind ClusterRole
HTTP Request
GET /apis/rbac.authorization.k8s.io/v1/clusterroles
Parameters
allowWatchBookmarks (in query): boolean
continue (in query): string
fieldSelector (in query): string
labelSelector (in query): string
limit (in query): integer
pretty (in query): string
resourceVersion (in query): string
resourceVersionMatch (in query): string
sendInitialEvents (in query): boolean
timeoutSeconds (in query): integer
watch (in query): boolean
Response
200 (ClusterRoleList): OK
401: Unauthorized
create
create a ClusterRole
HTTP Request
POST /apis/rbac.authorization.k8s.io/v1/clusterroles
Parameters
body: ClusterRole, required
dryRun (in query): string
fieldManager (in query): string
fieldValidation (in query): string
pretty (in query): string
Response
200 (ClusterRole): OK
201 (ClusterRole): Created
202 (ClusterRole): Accepted
401: Unauthorized
update
replace the specified ClusterRole
HTTP Request
PUT /apis/rbac.authorization.k8s.io/v1/clusterroles/{name}
Parameters
name (in path): string, required
name of the ClusterRole
body: ClusterRole, required
dryRun (in query): string
fieldManager (in query): string
fieldValidation (in query): string
pretty (in query): string
Response
200 (ClusterRole): OK
201 (ClusterRole): Created
401: Unauthorized
patch
partially update the specified ClusterRole
HTTP Request
PATCH /apis/rbac.authorization.k8s.io/v1/clusterroles/{name}
Parameters
name (in path): string, required
name of the ClusterRole
body: Patch, required
dryRun (in query): string
fieldManager (in query): string
fieldValidation (in query): string
force (in query): boolean
pretty (in query): string
Response
200 (ClusterRole): OK
201 (ClusterRole): Created
401: Unauthorized
delete
delete a ClusterRole
HTTP Request
DELETE /apis/rbac.authorization.k8s.io/v1/clusterroles/{name}
Parameters
name (in path): string, required
name of the ClusterRole
body: DeleteOptions
dryRun (in query): string
gracePeriodSeconds (in query): integer
pretty (in query): string
propagationPolicy (in query): string
Response
200 (Status): OK
202 (Status): Accepted
401: Unauthorized
deletecollection
delete collection of ClusterRole
HTTP Request
DELETE /apis/rbac.authorization.k8s.io/v1/clusterroles
Parameters
body: DeleteOptions
continue (in query): string
dryRun (in query): string
fieldSelector (in query): string
gracePeriodSeconds (in query): integer
labelSelector (in query): string
limit (in query): integer
pretty (in query): string
propagationPolicy (in query): string
resourceVersion (in query): string
resourceVersionMatch (in query): string
sendInitialEvents (in query): boolean
timeoutSeconds (in query): integer
Response
200 (Status): OK
401: Unauthorized
6 - ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
import "k8s.io/api/rbac/v1"
ClusterRoleBinding
ClusterRoleBinding references a ClusterRole, but not contain it. It can reference a ClusterRole in the global namespace, and adds who information via Subject.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata (ObjectMeta)
Standard object's metadata.
roleRef (RoleRef), required
RoleRef can only reference a ClusterRole in the global namespace. If the RoleRef cannot be resolved, the Authorizer must return an error. This field is immutable.
RoleRef contains information that points to the role being used
roleRef.apiGroup (string), required
APIGroup is the group for the resource being referenced
roleRef.kind (string), required
Kind is the type of resource being referenced
roleRef.name (string), required
Name is the name of resource being referenced
subjects ([]Subject)
Atomic: will be replaced during a merge
Subjects holds references to the objects the role applies to.
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names.
subjects.kind (string), required
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error.
subjects.name (string), required
Name of the object being referenced.
subjects.apiGroup (string)
APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
subjects.namespace (string)
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error.
ClusterRoleBindingList
ClusterRoleBindingList is a collection of ClusterRoleBindings
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBindingList
metadata (ListMeta)
Standard object's metadata.
items ([]ClusterRoleBinding), required
Items is a list of ClusterRoleBindings
Operations
get
read the specified ClusterRoleBinding
HTTP Request
GET /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/{name}
Parameters
name (in path): string, required
name of the ClusterRoleBinding
pretty (in query): string
Response
200 (ClusterRoleBinding): OK
401: Unauthorized
list
list or watch objects of kind ClusterRoleBinding
HTTP Request
GET /apis/rbac.authorization.k8s.io/v1/clusterrolebindings
Parameters
allowWatchBookmarks (in query): boolean
continue (in query): string
fieldSelector (in query): string
labelSelector (in query): string
limit (in query): integer
pretty (in query): string
resourceVersion (in query): string
resourceVersionMatch (in query): string
sendInitialEvents (in query): boolean
timeoutSeconds (in query): integer
watch (in query): boolean
Response
200 (ClusterRoleBindingList): OK
401: Unauthorized
create
create a ClusterRoleBinding
HTTP Request
POST /apis/rbac.authorization.k8s.io/v1/clusterrolebindings
Parameters
body: ClusterRoleBinding, required
dryRun (in query): string
fieldManager (in query): string
fieldValidation (in query): string
pretty (in query): string
Response
200 (ClusterRoleBinding): OK
201 (ClusterRoleBinding): Created
202 (ClusterRoleBinding): Accepted
401: Unauthorized
update
replace the specified ClusterRoleBinding
HTTP Request
PUT /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/{name}
Parameters
name (in path): string, required
name of the ClusterRoleBinding
body: ClusterRoleBinding, required
dryRun (in query): string
fieldManager (in query): string
fieldValidation (in query): string
pretty (in query): string
Response
200 (ClusterRoleBinding): OK
201 (ClusterRoleBinding): Created
401: Unauthorized
patch
partially update the specified ClusterRoleBinding
HTTP Request
PATCH /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/{name}
Parameters
name (in path): string, required
name of the ClusterRoleBinding
body: Patch, required
dryRun (in query): string
fieldManager (in query): string
fieldValidation (in query): string
force (in query): boolean
pretty (in query): string
Response
200 (ClusterRoleBinding): OK
201 (ClusterRoleBinding): Created
401: Unauthorized
delete
delete a ClusterRoleBinding
HTTP Request
DELETE /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/{name}
Parameters
name (in path): string, required
name of the ClusterRoleBinding
body: DeleteOptions
dryRun (in query): string
gracePeriodSeconds (in query): integer
pretty (in query): string
propagationPolicy (in query): string
Response
200 (Status): OK
202 (Status): Accepted
401: Unauthorized
deletecollection
delete collection of ClusterRoleBinding
HTTP Request
DELETE /apis/rbac.authorization.k8s.io/v1/clusterrolebindings
Parameters
body: DeleteOptions
continue (in query): string
dryRun (in query): string
fieldSelector (in query): string
gracePeriodSeconds (in query): integer
labelSelector (in query): string
limit (in query): integer
pretty (in query): string
propagationPolicy (in query): string
resourceVersion (in query): string
resourceVersionMatch (in query): string
sendInitialEvents (in query): boolean
timeoutSeconds (in query): integer
Response
200 (Status): OK
401: Unauthorized
7 - Role
apiVersion: rbac.authorization.k8s.io/v1
import "k8s.io/api/rbac/v1"
Role
Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata (ObjectMeta)
Standard object's metadata.
rules ([]PolicyRule)
Atomic: will be replaced during a merge
Rules holds all the PolicyRules for this Role
PolicyRule holds information that describes a policy rule, but does not contain information about who the rule applies to or which namespace the rule applies to.
rules.apiGroups ([]string)
Atomic: will be replaced during a merge
APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups.
rules.resources ([]string)
Atomic: will be replaced during a merge
Resources is a list of resources this rule applies to. '*' represents all resources.
rules.verbs ([]string), required
Atomic: will be replaced during a merge
Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.
rules.resourceNames ([]string)
Atomic: will be replaced during a merge
ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.
rules.nonResourceURLs ([]string)
Atomic: will be replaced during a merge
NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"), but not both.
RoleList
RoleList is a collection of Roles
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleList
metadata (ListMeta)
Standard object's metadata.
items ([]Role), required
Items is a list of Roles
Operations
get
read the specified Role
HTTP Request
GET /apis/rbac.authorization.k8s.io/v1/namespaces/{namespace}/roles/{name}
Parameters
name (in path): string, required
name of the Role
namespace (in path): string, required
pretty (in query): string
Response
200 (Role): OK
401: Unauthorized
list
list or watch objects of kind Role
HTTP Request
GET /apis/rbac.authorization.k8s.io/v1/namespaces/{namespace}/roles
Parameters
namespace (in path): string, required
allowWatchBookmarks (in query): boolean
continue (in query): string
fieldSelector (in query): string
labelSelector (in query): string
limit (in query): integer
pretty (in query): string
resourceVersion (in query): string
resourceVersionMatch (in query): string
sendInitialEvents (in query): boolean
timeoutSeconds (in query): integer
watch (in query): boolean
Response
200 (RoleList): OK
401: Unauthorized
list
list or watch objects of kind Role
HTTP Request
GET /apis/rbac.authorization.k8s.io/v1/roles
Parameters
allowWatchBookmarks (in query): boolean
continue (in query): string
fieldSelector (in query): string
labelSelector (in query): string
limit (in query): integer
pretty (in query): string
resourceVersion (in query): string
resourceVersionMatch (in query): string
sendInitialEvents (in query): boolean
timeoutSeconds (in query): integer
watch (in query): boolean
Response
200 (RoleList): OK
401: Unauthorized
create
create a Role
HTTP Request
POST /apis/rbac.authorization.k8s.io/v1/namespaces/{namespace}/roles
Parameters
namespace (in path): string, required
body: Role, required
dryRun (in query): string
fieldManager (in query): string
fieldValidation (in query): string
pretty (in query): string
Response
200 (Role): OK
201 (Role): Created
202 (Role): Accepted
401: Unauthorized
update
replace the specified Role
HTTP Request
PUT /apis/rbac.authorization.k8s.io/v1/namespaces/{namespace}/roles/{name}
Parameters
name (in path): string, required
name of the Role
namespace (in path): string, required
body: Role, required
dryRun (in query): string
fieldManager (in query): string
fieldValidation (in query): string
pretty (in query): string
Response
200 (Role): OK
201 (Role): Created
401: Unauthorized
patch
partially update the specified Role
HTTP Request
PATCH /apis/rbac.authorization.k8s.io/v1/namespaces/{namespace}/roles/{name}
Parameters
name (in path): string, required
name of the Role
namespace (in path): string, required
body: Patch, required
dryRun (in query): string
fieldManager (in query): string
fieldValidation (in query): string
force (in query): boolean
pretty (in query): string
Response
200 (Role): OK
201 (Role): Created
401: Unauthorized
delete
delete a Role
HTTP Request
DELETE /apis/rbac.authorization.k8s.io/v1/namespaces/{namespace}/roles/{name}
Parameters
name (in path): string, required
name of the Role
namespace (in path): string, required
body: DeleteOptions
dryRun (in query): string
gracePeriodSeconds (in query): integer
pretty (in query): string
propagationPolicy (in query): string
Response
200 (Status): OK
202 (Status): Accepted
401: Unauthorized
deletecollection
delete collection of Role
HTTP Request
DELETE /apis/rbac.authorization.k8s.io/v1/namespaces/{namespace}/roles
Parameters
namespace (in path): string, required
body: DeleteOptions
continue (in query): string
dryRun (in query): string
fieldSelector (in query): string
gracePeriodSeconds (in query): integer
labelSelector (in query): string
limit (in query): integer
pretty (in query): string
propagationPolicy (in query): string
resourceVersion (in query): string
resourceVersionMatch (in query): string
sendInitialEvents (in query): boolean
timeoutSeconds (in query): integer
Response
200 (Status): OK
401: Unauthorized
8 - RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
import "k8s.io/api/rbac/v1"
RoleBinding
RoleBinding references a role, but does not contain it. It can reference a Role in the same namespace or a ClusterRole in the global namespace. It adds who information via Subjects and namespace information by which namespace it exists in. RoleBindings in a given namespace only have effect in that namespace.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata (ObjectMeta)
Standard object's metadata.
roleRef (RoleRef), required
RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace. If the RoleRef cannot be resolved, the Authorizer must return an error. This field is immutable.
RoleRef contains information that points to the role being used
roleRef.apiGroup (string), required
APIGroup is the group for the resource being referenced
roleRef.kind (string), required
Kind is the type of resource being referenced
roleRef.name (string), required
Name is the name of resource being referenced
subjects ([]Subject)
Atomic: will be replaced during a merge
Subjects holds references to the objects the role applies to.
Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names.
subjects.kind (string), required
Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error.
subjects.name (string), required
Name of the object being referenced.
subjects.apiGroup (string)
APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
subjects.namespace (string)
Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error.
RoleBindingList
RoleBindingList is a collection of RoleBindings
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBindingList
metadata (ListMeta)
Standard object's metadata.
items ([]RoleBinding), required
Items is a list of RoleBindings
Operations
get
read the specified RoleBinding
HTTP Request
GET /apis/rbac.authorization.k8s.io/v1/namespaces/{namespace}/rolebindings/{name}
Parameters
name (in path): string, required
name of the RoleBinding
namespace (in path): string, required
pretty (in query): string
Response
200 (RoleBinding): OK
401: Unauthorized
list
list or watch objects of kind RoleBinding
HTTP Request
GET /apis/rbac.authorization.k8s.io/v1/namespaces/{namespace}/rolebindings
Parameters
namespace (in path): string, required
allowWatchBookmarks (in query): boolean
continue (in query): string
fieldSelector (in query): string
labelSelector (in query): string
limit (in query): integer
pretty (in query): string
resourceVersion (in query): string
resourceVersionMatch (in query): string
sendInitialEvents (in query): boolean
timeoutSeconds (in query): integer
watch (in query): boolean
Response
200 (RoleBindingList): OK
401: Unauthorized
list
list or watch objects of kind RoleBinding
HTTP Request
GET /apis/rbac.authorization.k8s.io/v1/rolebindings
Parameters
allowWatchBookmarks (in query): boolean
continue (in query): string
fieldSelector (in query): string
labelSelector (in query): string
limit (in query): integer
pretty (in query): string
resourceVersion (in query): string
resourceVersionMatch (in query): string
sendInitialEvents (in query): boolean
timeoutSeconds (in query): integer
watch (in query): boolean
Response
200 (RoleBindingList): OK
401: Unauthorized
create
create a RoleBinding
HTTP Request
POST /apis/rbac.authorization.k8s.io/v1/namespaces/{namespace}/rolebindings
Parameters
namespace (in path): string, required
body: RoleBinding, required
dryRun (in query): string
fieldManager (in query): string
fieldValidation (in query): string
pretty (in query): string
Response
200 (RoleBinding): OK
201 (RoleBinding): Created
202 (RoleBinding): Accepted
401: Unauthorized
update
replace the specified RoleBinding
HTTP Request
PUT /apis/rbac.authorization.k8s.io/v1/namespaces/{namespace}/rolebindings/{name}
Parameters
name (in path): string, required
name of the RoleBinding
namespace (in path): string, required
body: RoleBinding, required
dryRun (in query): string
fieldManager (in query): string
fieldValidation (in query): string
pretty (in query): string
Response
200 (RoleBinding): OK
201 (RoleBinding): Created
401: Unauthorized
patch
partially update the specified RoleBinding
HTTP Request
PATCH /apis/rbac.authorization.k8s.io/v1/namespaces/{namespace}/rolebindings/{name}
Parameters
name (in path): string, required
name of the RoleBinding
namespace (in path): string, required
body: Patch, required
dryRun (in query): string
fieldManager (in query): string
fieldValidation (in query): string
force (in query): boolean
pretty (in query): string
Response
200 (RoleBinding): OK
201 (RoleBinding): Created
401: Unauthorized
delete
delete a RoleBinding
HTTP Request
DELETE /apis/rbac.authorization.k8s.io/v1/namespaces/{namespace}/rolebindings/{name}
Parameters
name (in path): string, required
name of the RoleBinding
namespace (in path): string, required
body: DeleteOptions
dryRun (in query): string
gracePeriodSeconds (in query): integer
pretty (in query): string
propagationPolicy (in query): string
Response
200 (Status): OK
202 (Status): Accepted
401: Unauthorized
deletecollection
delete collection of RoleBinding
HTTP Request
DELETE /apis/rbac.authorization.k8s.io/v1/namespaces/{namespace}/rolebindings
Parameters
namespace (in path): string, required
body: DeleteOptions
continue (in query): string
dryRun (in query): string
fieldSelector (in query): string
gracePeriodSeconds (in query): integer
labelSelector (in query): string
limit (in query): integer
pretty (in query): string
propagationPolicy (in query): string
resourceVersion (in query): string
resourceVersionMatch (in query): string
sendInitialEvents (in query): boolean
timeoutSeconds (in query): integer
Response
200 (Status): OK
401: Unauthorized