'Expected behavior for ClusterRole with two rules mentioning the same resource
I'm working with RBAC on an Openshift cluster. I was wondering what is the expected behavior for applying a ClusterRole that has two rules which reference the same resource. E.g:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ocp-cluster-role
rules:
- apiGroups:
- ""
resources:
- Pods
verbs:
- get
- apiGroups:
- ""
resources:
- Pods
verbs:
- create
- delete
Will an associated ServiceAccount be able to create, delete, get Pods, Or will they override one another?
Solution 1:[1]
The subject will have the all the permissions granted thru multiple bindings to roles.
Solution 2:[2]
As the cluster role contains get , create & delete permissions for pod resources so it will be applied all together to a service account for rolebinding and won’t override each other.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | gohm'c |
| Solution 2 | Manmohan Mittal |