What RBAC permissions for live apply? Correct values for apiGroups and resources
WTPascoe opened this issue · 1 comments
I am trying to give a user permissions to do kpt live apply
When doing this, an error is returned
Installing inventory ResourceGroup CRD.
error: Type ResourceGroup CRD needs update. Please make sure you have the permission to update CRD then runkpt live install-resource-group.
error installing ResourceGroup crd
If I add a far too broad set of rules to their role, this then succeeds. I'd like to understand what permissions are needed to be able to complete the live apply
- apiGroups: ["*"]
resources: ["*"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
The file that live init has generated and appears to be triggering this error is as follows:
resourcegroup.yaml
apiVersion: kpt.dev/v1alpha1
kind: ResourceGroup
metadata:
name: inventory-27342774
namespace: mynamespace
labels:
cli-utils.sigs.k8s.io/inventory-id: somenumbershere
If the ResourceGroup CRD is not installed, it tries to install it. In that case it would need privileges to add CRDs. My recommendation is that an administrator add the ResourceGroup CRD (for example, with kpt live install-resource-group). After that, the kpt tool itself only needs read on CRDs; since it will find the CRD already installed it will not try to install it again. This usually can be given to ordinary users.
Of course, the user will also need permissions to add the resources in the namespaces that are being applied.