k8s で以下の ClusterRoles などを定義する際に、対象リソースのAPI Groupが何か確認したい場合があります。(以下★★★のところ)
例(ClusterRoleのマニフェスト)
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: storage-admin rules: - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "watch", "list", "create", "delete"] - apiGroups: ["storage.k8s.io"] ← ★★★これを知りたい★★★ resources: ["storageclasses"] verbs: ["get", "watch", "list", "create", "delete"]
そんな時は、以下のコマンドでサクッと確認できます。
kubectl api-resources
実行すると以下のようなリストが表示されます。
NAME SHORTNAMES APIVERSION NAMESPACED KIND bindings v1 true Binding componentstatuses cs v1 false ComponentStatus configmaps cm v1 true ConfigMap endpoints ep v1 true Endpoints events ev v1 true Event limitranges limits v1 true LimitRange namespaces ns v1 false Namespace nodes no v1 false Node persistentvolumeclaims pvc v1 true PersistentVolumeClaim persistentvolumes pv v1 false PersistentVolume pods po v1 true Pod podtemplates v1 true PodTemplate replicationcontrollers rc v1 true ReplicationController resourcequotas quota v1 true ResourceQuota secrets v1 true Secret serviceaccounts sa v1 true ServiceAccount services svc v1 true Service mutatingwebhookconfigurations admissionregistration.k8s.io/v1 false MutatingWebhookConfiguration validatingadmissionpolicies admissionregistration.k8s.io/v1 false ValidatingAdmissionPolicy validatingadmissionpolicybindings admissionregistration.k8s.io/v1 false ValidatingAdmissionPolicyBinding validatingwebhookconfigurations admissionregistration.k8s.io/v1 false ValidatingWebhookConfiguration customresourcedefinitions crd,crds apiextensions.k8s.io/v1 false CustomResourceDefinition apiservices apiregistration.k8s.io/v1 false APIService controllerrevisions apps/v1 true ControllerRevision daemonsets ds apps/v1 true DaemonSet deployments deploy apps/v1 true Deployment replicasets rs apps/v1 true ReplicaSet statefulsets sts apps/v1 true StatefulSet selfsubjectreviews authentication.k8s.io/v1 false SelfSubjectReview tokenreviews authentication.k8s.io/v1 false TokenReview localsubjectaccessreviews authorization.k8s.io/v1 true LocalSubjectAccessReview selfsubjectaccessreviews authorization.k8s.io/v1 false SelfSubjectAccessReview selfsubjectrulesreviews authorization.k8s.io/v1 false SelfSubjectRulesReview subjectaccessreviews authorization.k8s.io/v1 false SubjectAccessReview horizontalpodautoscalers hpa autoscaling/v2 true HorizontalPodAutoscaler cronjobs cj batch/v1 true CronJob jobs batch/v1 true Job certificatesigningrequests csr certificates.k8s.io/v1 false CertificateSigningRequest leases coordination.k8s.io/v1 true Lease endpointslices discovery.k8s.io/v1 true EndpointSlice events ev events.k8s.io/v1 true Event flowschemas flowcontrol.apiserver.k8s.io/v1 false FlowSchema prioritylevelconfigurations flowcontrol.apiserver.k8s.io/v1 false PriorityLevelConfiguration gatewayclasses gc gateway.networking.k8s.io/v1 false GatewayClass gateways gtw gateway.networking.k8s.io/v1 true Gateway grpcroutes gateway.networking.k8s.io/v1 true GRPCRoute httproutes gateway.networking.k8s.io/v1 true HTTPRoute referencegrants refgrant gateway.networking.k8s.io/v1beta1 true ReferenceGrant helmchartconfigs helm.cattle.io/v1 true HelmChartConfig helmcharts helm.cattle.io/v1 true HelmChart accesscontrolpolicies hub.traefik.io/v1alpha1 false AccessControlPolicy aiservices hub.traefik.io/v1alpha1 true AIService apiaccesses hub.traefik.io/v1alpha1 true APIAccess apibundles hub.traefik.io/v1alpha1 true APIBundle apicatalogitems hub.traefik.io/v1alpha1 true APICatalogItem apiplans hub.traefik.io/v1alpha1 true APIPlan apiportals hub.traefik.io/v1alpha1 true APIPortal apiratelimits hub.traefik.io/v1alpha1 true APIRateLimit apis hub.traefik.io/v1alpha1 true API apiversions hub.traefik.io/v1alpha1 true APIVersion managedsubscriptions hub.traefik.io/v1alpha1 true ManagedSubscription addons k3s.cattle.io/v1 true Addon etcdsnapshotfiles k3s.cattle.io/v1 false ETCDSnapshotFile nodes metrics.k8s.io/v1beta1 false NodeMetrics pods metrics.k8s.io/v1beta1 true PodMetrics ingressclasses networking.k8s.io/v1 false IngressClass ingresses ing networking.k8s.io/v1 true Ingress ipaddresses ip networking.k8s.io/v1 false IPAddress networkpolicies netpol networking.k8s.io/v1 true NetworkPolicy servicecidrs networking.k8s.io/v1 false ServiceCIDR runtimeclasses node.k8s.io/v1 false RuntimeClass poddisruptionbudgets pdb policy/v1 true PodDisruptionBudget clusterrolebindings rbac.authorization.k8s.io/v1 false ClusterRoleBinding clusterroles rbac.authorization.k8s.io/v1 false ClusterRole rolebindings rbac.authorization.k8s.io/v1 true RoleBinding roles rbac.authorization.k8s.io/v1 true Role deviceclasses resource.k8s.io/v1 false DeviceClass resourceclaims resource.k8s.io/v1 true ResourceClaim resourceclaimtemplates resource.k8s.io/v1 true ResourceClaimTemplate resourceslices resource.k8s.io/v1 false ResourceSlice priorityclasses pc scheduling.k8s.io/v1 false PriorityClass csidrivers storage.k8s.io/v1 false CSIDriver csinodes storage.k8s.io/v1 false CSINode csistoragecapacities storage.k8s.io/v1 true CSIStorageCapacity storageclasses sc storage.k8s.io/v1 false StorageClass volumeattachments storage.k8s.io/v1 false VolumeAttachment volumeattributesclasses vac storage.k8s.io/v1 false VolumeAttributesClass ingressroutes traefik.io/v1alpha1 true IngressRoute ingressroutetcps traefik.io/v1alpha1 true IngressRouteTCP ingressrouteudps traefik.io/v1alpha1 true IngressRouteUDP middlewares traefik.io/v1alpha1 true Middleware middlewaretcps traefik.io/v1alpha1 true MiddlewareTCP serverstransports traefik.io/v1alpha1 true ServersTransport serverstransporttcps traefik.io/v1alpha1 true ServersTransportTCP tlsoptions traefik.io/v1alpha1 true TLSOption tlsstores traefik.io/v1alpha1 true TLSStore traefikservices traefik.io/v1alpha1 true TraefikService
これらの項目(列)のうち APIVERSION を確認するだけです。
ざっと表にまとめると以下のような感じです。
| APIVERSION の例 | API Group(apigroup) | コアAPI? | 説明 |
|---|---|---|---|
| v1 | (空=core API) | YES | Pod / Service など。 apiGroups: [""] を使う |
| apps/v1 | apps | NO | Deployment / DaemonSet など |
| batch/v1 | batch | NO | Job / CronJob など |
| storage.k8s.io/v1 | storage.k8s.io | NO | StorageClass / CSI Driver など |
| rbac.authorization.k8s.io/v1 | rbac.authorization.k8s.io | NO | ClusterRole / ClusterRoleBinding など |
| apiextensions.k8s.io/v1 | apiextensions.k8s.io | NO | CustomResourceDefinition (CRD) |
| networking.k8s.io/v1 | networking.k8s.io | NO | Ingress / NetworkPolicy など |
つまり、
APIVERSION が v1 だけ → コア API
→ RBAC では apiGroups: [""]APIVERSION が <group名>/v1 の形式 → 非コア API
→ RBAC では apiGroups: ["<group名>"]
ということです。
一度知ってしまえば簡単ですね。
補足
kubectl のバージョン で kubectl api-resources の結果が以下のように異なります。
1.26 以前の場合(古い)
NAME SHORTNAMES APIGROUP APIVERSION …
1.27以降の場合(今回)
NAME SHORTNAMES APIVERSION …
