.. _role:

Roles and Bindings
------------------

`Roles <https://kubernetes.io/docs/reference/access-authn-authz/rbac/#default-roles-and-role-bindings>`_ define what a
user or service account can perform.   `Role bindings <https://kubernetes.io/docs/reference/access-authn-authz/rbac/#default-roles-and-role-bindings>`_
associates roles to users or service accounts.

Here is an example of a **role** definition::

    apiVersion: rbac.authorization.k8s.io/v1
    kind: Role
    metadata:
      name: ecr-login-role
    rules:
    - apiGroups: [""]
      resources: ["secrets"]
      verbs: ["create", "delete"]
    - apiGroups: [""]
      resources: ["serviceaccounts"]
      verbs: ["get", "patch"]

Example Code::

    from k9.rbac import (
        set_default_namespace,
        create_service_account,
        create_role,
        create_role_binding,
        read_yaml
    )

    set_default_namespace('default')

    role_name = "ecr-login-role"
    binding_name = "ecr-login-binding"

    # create the service account
    result = create_service_account(sa_name)
    sa_name = result.metadata.name

    # create role
    body = read_yaml('ecr-login-role.yml')
    result = create_role(body)

    # create cluster role binding
    result = create_role_binding(binding_name, role_name, sa_name)

.. autofunction:: k9.rbac.list_roles
.. autofunction:: k9.rbac.create_role
.. autofunction:: k9.rbac.delete_role
.. autofunction:: k9.rbac.get_role
.. autofunction:: k9.rbac.role_exists

.. autofunction:: k9.rbac.create_role_binding
.. autofunction:: k9.rbac.get_role_binding
.. autofunction:: k9.rbac.role_binding_exists
.. autofunction:: k9.rbac.delete_role_binding