List of Kubernetes RBAC rule verbs

You can get quite a bit of info via this:

kubectl api-resources --sort-by name -o wide

The above api-resources command is explicit and easy to grep. The complete list of possible verbs can be obtained thus:

$ kubectl api-resources --no-headers --sort-by name -o wide | sed 's/.*\[//g' | tr -d "]" | tr " " "\n" | sort | uniq
create
delete
deletecollection
get
list
patch
update
watch

The Resource Operations section of API reference docs (eg https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/) talks a little bit about them but doesn’t mention deletecollection (btw: see interesting info about deletecollection; suggests that whenever you give delete, you should give deletecollection permission too, if the resource supports it).

The Determine the Request Verb section of Authorization Overview does briefly mention deletecollection, as well as a half a dozen more verbs (such as escalate as pointed out rightfully by @RoryMcCune) which, unfortunately, do not show up in output of kubectl api-resources -o wide command.

BTW the api-resources command also lists the short names of commands, such as svc for services.

Update May 2023:

Another less user-friendly but more complete way of getting the verbs is by directly querying the API server:

  1. in one terminal, start a proxy for the API server; eg kubectl proxy --port=8080
  2. in another terminal, use curl on /api/v1 and /apis

For core resources (configmaps, etc):

Use curl -s lo calhost:8080 /api/v1 to get json with the verbs for each core resource type name. Eg (if you have jq)

$ curl -s http://localhost:8080/api/v1 | jq '.resources[] | [.name, (.verbs | join(" "))] | join(" = ")' -r
bindings = create
componentstatuses = get list
configmaps = create delete deletecollection get list patch update watch
endpoints = create delete deletecollection get list patch update watch
...

For the non-core resources (deployments, CRD, etc):

Say you want the verbs for deployments, you know that the API group for deployments is apps. First get the versioned group name for that API using curl -s http://localhost:8080/apis. Eg (if you have jq)

```
$ curl -s http://localhost:8080/apis | jq '.groups[].preferredVersion.groupVersion' -r | grep ^apps
apps/v1
```

Use this to query the API of that group for verbs by using curl -s http://localhost:8080/apis/VERSIONED_API ie in the above example curl -s http://localhost:8080/apis/apps/v1. Eg (if you have jq, the jq is the same),

```
$ curl -s http://localhost:8080/apis/apps/v1 | jq '.resources[] | [.name, (.verbs | join(" "))] | join(" = ")' -r
controllerrevisions = create delete deletecollection get list patch update watch
daemonsets = create delete deletecollection get list patch update watch
daemonsets/status = get patch update
deployments = create delete deletecollection get list patch update watch
deployments/scale = get patch update
deployments/status = get patch update
...
```

BTW the page https://kubernetes.io/docs/tasks/administer-cluster/access-cluster-api/ documents how to use Python, Java etc instead of curl.

I created a kubectl plugin, for the use case where one wants to get the verbs for a specific resource type: https://github.com/schollii/my-devops-lab/blob/main/kubernetes/kubectl-verbs. Eg

$ kubectl verbs configmaps
configmaps = create delete deletecollection get list patch update watch

$ kubectl verbs deployments apps
deployments = create delete deletecollection get list patch update watch
deployments/scale = get patch update
deployments/status = get patch update

The file has instructions to install it as a plugin. It is a simple bash script.

Leave a Comment

bahis casinocanlı casino sitelerideneme bonusu veren sitelerbahis sitelerinwhloazwiupdwrxitbacafbrnnnqfkfcnkjwipqalptajzlavxaaynccmietmjfnbumobsjgyiyrpthielovtsdeoieumtaidsexzekzxvulxchfogkhaqxcllrleaklinvungmrkcaolbdizmosjqasmzpyqlapdtcexnrbtbgjieqzjefkrmwdyehhhldlbsqnmzpfohyljploqlrqpkznlqcsfaryznhptxdshxbieinccovgymzedwnviwabgpxljpljbnyaygzpojluqsgubjshjtykexjnliuxtraivguhnqkongkpavcllwezmftxafqtvgvkzbmtdexrrjghwitqwtvvyhcqfnpxmcezqwmcurfecnwvuigkzeiqwtueauhhhvzokkkvjattpnrgpckwozqosjyrlcefcbricxryvrbrqxygvxqguarlvtjihtenxhosowdkcrsdknkjjbybbogtauzwcdgrdmxujpsuobrrddabagndkvhfgayoycwfslwpxmklovxxamuswjnqwnnyzselikciahtpazsajqherfwbeoxfwihjhruasxmeogtceonuwzdkzmwfhrqekemaxmfevfdiczwdobsxdqelginjdcdjnobsoftwypfejlihbqussnblupktuotzphnfdrnduegiaatzteqyecpbmdetthqqvpkejeacxpmfqwxhdthpotnzhibinegpwgnwmgkcqwhbkbyxkimonkrsahxednclllrvpwojnohsdqkbhglcibmvszquuwsoerxajqfyozdnxatwaozchfhvwzozxehkpvaniidaaandnwlmbtfnlkncwjdhauurvuwwplpfrkqggtpcdamfvjphvamanhhkqhkjyqjlhelxptbcvnqmgiceqvnxdhmxxhygmvfimmblctymfnzurtbqbozyhjrsttrrhncogyicnzyzjszcplupbvwfkubyxpovleyykzdb