Where can I get a list of Kubernetes API resources and subresources?

Question

I am trying to configure Kubernetes RBAC in the least-permissive way possible and I want to scope my roles to specific resources and subresouces. I\'ve dug through the doc

Answer 1

I hesitate to even put this as an "Answer", but it is for sure too long for a comment

For the list of resources, are you aware of $HOME/.kube/cache/discovery wherein the Swagger JSON files are persisted to disk by directory that matches their enclosing apiVersion? This is the fastest link I could find (look in the "Discovering and Using CRDs" heading) but ls -la ~/.kube/cached/discovery will show what I mean. Those Swagger JSON files enumerate all the major players within an apiVersion in a way that I find a lot more accessible than the API reference website.

I don't have those files in front of me to know if they contain subresource definitions, so hopefully someone else can weigh in on that.

The minor asterisk to the "weigh in" part is that, based on the surfing I did of the RBAC docs and the 1.9 API reference, I didn't get the impression that a subresource is "field level access" to its parent resource. For example, v1beta1/Evictions is a Pod subresource of /evictions which to the best of my knowledge is not a field within PodSpec

So if you are interested in doing RBAC to constrain a Deployment's image, you may be much happier with Webhook Mode where one can have almost unbounded business logic applied to the attempted request.