Stash with RBAC Enabled Cluster

Stash comes with built-in support for RBAC enabled cluster. Stash installer create a ClusterRole and RoleBinding giving necessary permission to the operator.

Operator Permissions

Stash operator needs the following RBAC permissions,

API Groups Resources Permissions customresourcedefinitions * apiservices get, patch, delete mutatingwebhookconfigurations, validatingwebhookconfigurations get, list, watch, patch, delete * * * *
apps daemonsets, deployments, replicasets, statefulsets get, list, watch, patch
batch jobs, cronjobs get, list, watch, create, patch, delete
"" namespaces, replicationcontrollers get, list, watch, patch
"" configmaps get, list, watch,create, update, delete
"" persistentvolumeclaims get, list, watch, create, patch
"" services, endpoints get
"" secrets, events get, list, create, patch
"" nodes list
"" pods, pods/exec get, list, create, delete, deletecollection
"" serviceaccounts get, create, patch, delete clusterroles, roles, rolebindings, clusterrolebindings get, create, delete, patch deploymentconfigs get, list, watch, patch
policy podsecuritypolicies use volumesnapshots, volumesnapshotcontents, volumesnapshotclasses get, list, watch, create, patch, delete storageclasses get


  • "" in API Group column means core API groups.
  • * in Resources colum means all resources.
  • * in Permission colum means all permissions.

User facing ClusterRoles

Stash introduces custom resources, such as, BackupConfiguration,BackupBatch, BackupSession, Repository, RestoreSession, RestoreBatch, Function, and Task etc. Stash installer will create 2 user facing cluster roles:

ClusterRole Aggregates To Desription
appscode:stash:edit admin, edit Allows edit access to Stash CRDs, intended to be granted within a namespace using a RoleBinding.
appscode:stash:view view Allows read-only access to Stash CRDs, intended to be granted within a namespace using a RoleBinding.

These user facing roles supports ClusterRole Aggregation feature in Kubernetes 1.9 or later clusters.