3 min read

Kubernetes provides various resources like pods, deployments, services, and more, which are stored in the Kubernetes database, ETCD.

– To interact with these resources, we use the Kubernetes API, where each resource type has its own unique endpoint. For example: (To interact with kubernetes resource “pod”)

GET /api/v1/namespaces/{namespace}/pods/{name}

DELETE /api/v1/namespaces/{namespace}/pods

If we closely monitor the above endpoint, we can observe it has two parts

• 1st part (GET) is what action we want to perform and
• 2nd part (/api/v1/namespaces/{namespace}/pods/{name}) is the resource on which we need to perform the action.

Now, let`s see what the kubernetes role/clusterrole object is and how we can identify the the purpose of apiGroups?

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: viewer
rules:
  - apiGroups: ["*"]
    resources: ["deployments", "configmaps", "pods", "secrets", "services"]
    verbs: ["get", "list", "watch"]

In this ClusterRole, the rules block contains three key entries: [I remember it as ARV similar to how we have aws policy with ARE]

• apiGroups: (A) Defines the API group for the resource, representing its endpoint.
• resources: (R) Specifies the resource types for which the actions (verbs) apply.
• verbs: (V) Lists the actions allowed on the specified resources.

If we map this structure back to our API example, it becomes clear how these entries correspond to parts of an API endpoint.

now, if we take our actual resource api path, all these 3 entries are in that API endpoint itself.

GET /api/v1/namespaces/{namespace}/pods/{name} 
---
verbs api_end_point/resource_name

Why Use apiGroups?

In the role kubernetes object the resources needed to be added for target access.

• So, kubernetes removed the base_url from the resource path and added a section named resources to add all the resources and

• added the GET, DELETE in verbs

But, then another problem came.

Not all Kubernetes resources share the same base URL in the API. For example:

• Deployments have an API path like /apis/apps/v1/namespaces/{namespace}/deployments
• Ingresses use /apis/networking.k8s.io/v1/namespaces/{namespace}/ingresses
• Pods use /api/v1/namespaces/{namespace}/pods/{name}

So, here, we can see that different resources have different API end points and base url to communicate with.

That shows that, just having verbs and resources would lead to a potential issue as these resources like deployments and ingress would not be available on the default api base url /api/v1

So, to overcome that limitation of resource unavailable with default api (/api/v1), kubernetes added apiGroup as the 3rd entry inside the rules block and made the default apiGroup as ” ” which represents the resource with base url of /api/v1/

and that is the reason why apiGroup is introduced.

We can find all the kubernetes resources and their API information from here

To further clarify, here is a table of common Kubernetes resources and their corresponding apiGroups and API endpoints:

This list would be handy to write the correct apiGroup to restrict the access to a specific resource rather keeping the apiGroup as “*” which exposes all the apis.

apiGroup	Version	Resources
(empty string) “”	v1 [ This is the default apiGroup, so we keep it blank]	pods, services, configmaps, secrets, namespaces, persistentvolumeclaims, endpoints
apps	v1	deployments, replicasets, statefulsets, daemonsets
batch	v1, v1beta1	jobs, cronjobs
autoscaling	v1	horizontalpodautoscalers
networking.k8s.io	v1	ingresses, networkpolicies
policy	v1	poddisruptionbudgets
rbac.authorization.k8s.io	v1	roles, clusterroles, rolebindings, clusterrolebindings
scheduling.k8s.io	v1	priorityclasses
storage.k8s.io	v1	storageclasses, volumeattachments, csidrivers, csinodes
admissionregistration.k8s.io	v1	mutatingwebhookconfigurations, validatingwebhookconfigurations
apiextensions.k8s.io	v1	customresourcedefinitions
certificates.k8s.io	v1	certificatesigningrequests

To know about different api versions for resources available on kubernetes cluster, we can use these commands

• kubectl api-resources