You are looking at the documentation of a prior release. To read the documentation of the latest release, please visit here.

Stash with RBAC Enabled Cluster

Stash comes with built-in support for RBAC enabled cluster. Stash installer create a ClusterRole and RoleBinding giving necessary permission to the operator.

Operator Permissions

Stash operator needs the following RBAC permissions,

API Groups Resources Permissions
apiextensions.k8s.io customresourcedefinitions *
apiextensions.k8s.io apiservices get, patch, delete
admissionregistration.k8s.io mutatingwebhookconfigurations, validatingwebhookconfigurations get, list, watch, patch, delete
stash.appscode.com * *
appcatalog.appscode.com * *
apps daemonsets, deployments, replicasets, statefulsets get, list, watch, patch
batch jobs, cronjobs get, list, watch, create, patch, delete
"" namespaces, replicationcontrollers get, list, watch, patch
"" configmaps get, list, watch,create, update, delete
"" persistentvolumeclaims get, list, watch, create, patch
"" services, endpoints get
"" secrets, events get, list, create, patch
"" nodes list
"" pods, pods/exec get, list, create, delete, deletecollection
"" serviceaccounts get, create, patch, delete
rbac.authorization.k8s.io clusterroles, roles, rolebindings, clusterrolebindings get, create, delete, patch
apps.openshift.io deploymentconfigs get, list, watch, patch
policy podsecuritypolicies use
snapshot.storage.k8s.io volumesnapshots, volumesnapshotcontents, volumesnapshotclasses get, list, watch, create, patch, delete
storage.k8s.io storageclasses get

Here,

  • "" in API Group column means core API groups.
  • * in Resources colum means all resources.
  • * in Permission colum means all permissions.

User facing ClusterRoles

Stash introduces custom resources, such as, BackupConfiguration,BackupBatch, BackupSession, Repository, RestoreSession, RestoreBatch, Function, and Task etc. Stash installer will create 2 user facing cluster roles:

ClusterRole Aggregates To Desription
appscode:stash:edit admin, edit Allows edit access to Stash CRDs, intended to be granted within a namespace using a RoleBinding.
appscode:stash:view view Allows read-only access to Stash CRDs, intended to be granted within a namespace using a RoleBinding.

These user facing roles supports ClusterRole Aggregation feature in Kubernetes 1.9 or later clusters.