Kubernetes Permissions

CommunityEnterprise

Note

This document covers authorization through RBAC only. If you use another authorization method, contact support if you need assistance.

Using RBAC Authorization

Role-based access control (RBAC) is a method of regulating access to computer or network resources based on the roles of individual users within your organization.

For authorization details, see the official Kubernetes RBAC documentation.

Required Plugin Permissions

The Kubernetes Plugin requires a designated user to access the cluster and perform operations. To function properly, the user must be granted a minimum set of permissions. The required verbs for each resource are listed below.

• Cluster Resources:

  • Kubernetes:

    • Cluster Roles: [“list”, “get”, “create”, “update”]

    • Cluster Role Bindings: [“list”, “get”, “create”, “update”]

    • Namespaces: [“list”, “get”, “create”, “update”]

    • Persistent Volume: [“list”, “get”, “create”, “update”]

    • Storage Classes: [“list”, “get”, “create”, “update”]

    • Volume Snapshot Classes: [“list”, “get”, “create”, “update”]

  • KubeVirt:

    • Migration Policies: [“list”, “get”, “create”, “update”]

    • Virtual Machine Cluster Instance Types: [“list”, “get”, “create”, “update”]

    • Virtual Machine Cluster Preferences: [“list”, “get”, “create”, “update”]

Note

If you set the Fileset parameters X_config=0, where X can be cr, crb, vsc, etc., you do not need to create and update permissions on the selected resources.

• Namespaced Resources:

  • Kubernetes:

    • Config Maps: [“list”, “get”, “create”, “update”]

    • Cron Jobs: [“list”, “get”, “create”, “update”]

    • Daemon Sets: [“list”, “get”, “create”, “update”]

    • Deployments: [“list”, “get”, “create”, “update”]

    • Endpoints: [“list”, “get”, “create”, “update”]

    • Horizontal Pod Autoscalers: [“list”, “get”, “create”, “update”]

    • Ingresses: [“list”, “get”, “create”, “update”]

    • Limit Ranges: [“list”, “get”, “create”, “update”]

    • Jobs: [“list”, “get”, “create”, “update”]

    • Network Policies: [“list”, “get”, “create”, “update”]

    • Persistent Volume Claims: [“list”, “get”, “create”, “update”, “delete”]

    • Pods: [“list”, “get”, “create”, “update”, “delete”]

    • Pods Templates: [“list”, “get”, “create”, “update”]

    • Replica Sets: [“list”, “get”, “create”, “update”]

    • Replication Controllers: [“list”, “get”, “create”, “update”]

    • Resource Quotas: [“list”, “get”, “create”, “update”]

    • Roles: [“list”, “get”, “create”, “update”]

    • Role Bindings: [“list”, “get”, “create”, “update”]

    • Secrets: [“list”, “get”, “create”, “update”]

    • Services: [“list”, “get”, “create”, “update”]

    • Service Accounts: [“list”, “get”, “create”, “update”]

    • Stateful Sets: [“list”, “get”, “create”, “update”]

    • Volume Snapshots: [“list”, “get”, “create”, “update”, “delete”]

  • KubeVirt:

    • Data Sources: [“list”, “get”, “create”, “update”]

    • Data Volumes: [“list”, “get”, “create”, “update”]

    • Network Atttachment Definitions: [“list”, “get”, “create”, “update”]

    • Virtual Machines: [“list”, “get”, “create”, “update”]

    • Virtual Machine Instances: [“list”, “get”, “create”, “update”]

To summarize, the plugin requires the verbs list, get, create and update for each resource, except for Persistent Volume Claims and Pods, as it also requires the verb delete.

Automatic Checking Permissions

The plugin includes a query function to check if all required permissions are granted.

For more information, see the section Query Commands.

See also

Previous articles:

• Kubernetes Plugin Installation with Package Manager

Next articles:

• bacula-backup Proxy Pod Image Installation

• Advanced Bacula Backup Proxy Pod Deployment

• Longhorn Snapshot Installation

Go back to: Installation.