A cluster role for Kubernetes defines user permissions required to perform operations on a Kubernetes cluster.
You do not need permissions on the cluster to run the script for creating a cluster role because the kubectl api-resources
can be accessed by any account.
If you want to use a dedicated account to run the script, you can create a cluster role that has read-only permissions.
Procedure
-
On the Kubernetes cluster or on the access node for Kubernetes, from the command line, run the command to create a Cluster Role for Kubernetes:
script_path [-t token -f output_yaml ]
where:
-
token is the token of an account that has authorization to create the cluster role. The token is applied to the new cluster role.
-
output_yaml is the path of the output YAML file for the cluster role. If you do not specify the path, the script redirects output to stdout.
-
What to Do Next
If a new api-resource is added to the cluster, you must run the script and apply the most recent YAML file for the cluster role. Otherwise, application discovery fails.