Stash with RBAC Enabled Cluster
Stash comes with built-in support for RBAC enabled cluster. Stash installer create a ClusterRole
and RoleBinding
giving necessary permission to the operator.
Operator Permissions
Stash operator needs the following RBAC permissions,
API Groups | Resources | Permissions |
---|---|---|
apiextensions.k8s.io | customresourcedefinitions | * |
apiextensions.k8s.io | apiservices | get, patch, delete |
admissionregistration.k8s.io | mutatingwebhookconfigurations, validatingwebhookconfigurations | get, list, watch, patch, delete |
stash.appscode.com | * | * |
appcatalog.appscode.com | * | * |
apps | daemonsets, deployments, replicasets, statefulsets | get, list, watch, patch |
batch | jobs, cronjobs | get, list, watch, create, patch, delete |
"" | namespaces, replicationcontrollers | get, list, watch, patch |
"" | configmaps | get, list, watch,create, update, delete |
"" | persistentvolumeclaims | get, list, watch, create, patch |
"" | services, endpoints | get |
"" | secrets, events | get, list, create, patch |
"" | nodes | list |
"" | pods, pods/exec | get, list, create, delete, deletecollection |
"" | serviceaccounts | get, create, patch, delete |
rbac.authorization.k8s.io | clusterroles, roles, rolebindings, clusterrolebindings | get, create, delete, patch |
apps.openshift.io | deploymentconfigs | get, list, watch, patch |
policy | podsecuritypolicies | use |
snapshot.storage.k8s.io | volumesnapshots, volumesnapshotcontents, volumesnapshotclasses | get, list, watch, create, patch, delete |
storage.k8s.io | storageclasses | get |
Here,
""
in API Group column meanscore
API groups.*
in Resources colum means all resources.*
in Permission colum means all permissions.
User facing ClusterRoles
Stash introduces custom resources, such as, BackupConfiguration
,BackupBatch
, BackupSession
, Repository
, RestoreSession
, RestoreBatch
, Function
, and Task
etc. Stash installer will create 2 user facing cluster roles:
ClusterRole | Aggregates To | Desription |
---|---|---|
appscode:stash:edit | admin, edit | Allows edit access to Stash CRDs, intended to be granted within a namespace using a RoleBinding. |
appscode:stash:view | view | Allows read-only access to Stash CRDs, intended to be granted within a namespace using a RoleBinding. |
These user facing roles supports ClusterRole Aggregation feature in Kubernetes 1.9 or later clusters.