KubeStash with RBAC Enabled Cluster

KubeStash comes with built-in support for RBAC enabled cluster. KubeStash installer create a ClusterRole and ClusterRoleBinding giving necessary permission to the operator.

Operator Permissions

KubeStash operator needs the following RBAC permissions,

API GroupsResourcesPermissions
apiextensions.k8s.iocustomresourcedefinitionsget, create, patch, update
admissionregistration.k8s.iomutatingwebhookconfigurations, validatingwebhookconfigurations*
core.kubestash.com**
storage.kubestash.com**
config.kubestash.com**
addons.kubestash.com**
kubedb.com**
catalog.kubedb.comelasticsearchsget, list, watch
elasticsearch.kubedb.comelasticsearchdashboardslist
appcatalog.appscode.com*get, list, watch
appsdaemonsets, replicasets, statefulsetsget, list, watch
appsdeploymentsget, list, watch, create, patch, update
batchjobs, cronjobsget, list, watch, create, patch, update, delete
""eventscreate
""persistentvolumeclaims, persistentvolumesget, list, watch, create, patch, delete, update
""services, endpoints, podsget, list, watch
""secretsget, list, create, patch, watch, delete
""nodes, namespacesget, list, watch
""pods/execcreate
""serviceaccountsget, list, watch, create, delete, patch, update
rbac.authorization.k8s.ioclusterroles, roles, rolebindings, clusterrolebindingsget, list, watch, create, delete, patch, update
apps.openshift.iodeploymentconfigsget, list, watch, patch
policypodsecuritypoliciesuse
snapshot.storage.k8s.io**
storage.k8s.iostorageclassesget, list, watch

Here,

  • "" in API Group column means core API groups.
  • * in Resources colum means all resources.
  • * in Permission colum means all permissions.

User facing ClusterRoles

KubeStash introduces custom resources, such as, BackupConfiguration, BackupSession, BackupStorage, RestoreSession, Function, and Addon etc. KubeStash installer will create 2 user facing cluster roles:

ClusterRoleAggregates ToDescription
appscode:kubestash-kubestash-operator:editadmin, editAllows edit access to KubeStash CRDs.
appscode:kubestash-kubestash-operator:viewviewAllows read-only access to Stash CRDs

These user facing roles supports ClusterRole Aggregation feature in Kubernetes 1.9 or later clusters.