Stash with RBAC Enabled Cluster

Stash comes with built-in support for RBAC enabled cluster. Stash installer create a ClusterRole and RoleBinding giving necessary permission to the operator.

Operator Permissions

Stash operator needs the following RBAC permissions,

API GroupsResourcesPermissions
apiextensions.k8s.iocustomresourcedefinitions*
apiextensions.k8s.ioapiservicesget, patch, delete
admissionregistration.k8s.iomutatingwebhookconfigurations, validatingwebhookconfigurationsget, list, watch, patch, delete
stash.appscode.com**
appcatalog.appscode.com**
appsdaemonsets, deployments, replicasets, statefulsetsget, list, watch, patch
batchjobs, cronjobsget, list, watch, create, patch, delete
""namespaces, replicationcontrollersget, list, watch, patch
""configmapsget, list, watch,create, update, delete
""persistentvolumeclaimsget, list, watch, create, patch
""services, endpointsget
""secrets, eventsget, list, create, patch
""nodeslist
""pods, pods/execget, list, create, delete, deletecollection
""serviceaccountsget, create, patch, delete
rbac.authorization.k8s.ioclusterroles, roles, rolebindings, clusterrolebindingsget, create, delete, patch
apps.openshift.iodeploymentconfigsget, list, watch, patch
policypodsecuritypoliciesuse
snapshot.storage.k8s.iovolumesnapshots, volumesnapshotcontents, volumesnapshotclassesget, list, watch, create, patch, delete
storage.k8s.iostorageclassesget

Here,

  • "" in API Group column means core API groups.
  • * in Resources colum means all resources.
  • * in Permission colum means all permissions.

User facing ClusterRoles

Stash introduces custom resources, such as, BackupConfiguration,BackupBatch, BackupSession, Repository, RestoreSession, RestoreBatch, Function, and Task etc. Stash installer will create 2 user facing cluster roles:

ClusterRoleAggregates ToDesription
appscode:stash:editadmin, editAllows edit access to Stash CRDs, intended to be granted within a namespace using a RoleBinding.
appscode:stash:viewviewAllows read-only access to Stash CRDs, intended to be granted within a namespace using a RoleBinding.

These user facing roles supports ClusterRole Aggregation feature in Kubernetes 1.9 or later clusters.