Kubernetes roles and bindings

{% hint style="info" %} Role-Based Access Control is only available in Portainer Business Edition. {% endhint %}

When managing a Kubernetes environment with Portainer, the Role-Based Access Control (RBAC) configuration is based on two components:

Kubernetes' cluster roles and namespace roles (which restrict access to Kubernetes itself)
Portainer's authorization flags (which restrict access to Portainer's functionality)

The following tables provide a reference for how our Portainer roles map to capabilities within Kubernetes.

Role Allocations

Portainer Role	Cluster Role Binding	Namespace Role Binding
Environment Administrator	cluster-admin (k8s system)	N/A
Operator	portainer-operator, portainer-helpdesk	portainer-view (all non-system namespaces)
User	portainer-basic	portainer-edit, portainer-view (only assigned namespaces)
Helpdesk	portainer-helpdesk	portainer-view (all non-system namespaces)
Read-Only	portainer-basic	portainer-view (only assigned namespaces)

Cluster Roles

portainer-basic

API Group	Resources	Verbs
(Empty)	namespaces, nodes	get, list
storage.k8s.io	storageclasses	list
metrics.k8s.io	namespaces, pods, nodes	get, list
networking.k8s.io	ingressclasses	list

portainer-helpdesk

API Group	Resources	Verbs
(Empty)	componentstatuses, endpoints, events, namespaces, nodes	get, list, watch
storage.k8s.io	storageclasses	get, list, watch
networking.k8s.io	ingresses	get, watch
networking.k8s.io	ingressclasses	list
metrics.k8s.io	pods, nodes, nodes/stats, namespace	get, list, watch

portainer-operator

API Group	Resources	Verbs
(Empty)	configmaps	update
(Empty)	pods	delete
apps	daemonsets, deployments, statefulsets	patch
metrics.k8s.io	pods, nodes, nodes/stats, namespaces	get, list, watch

Namespace Roles

portainer-edit

API Group	Resources	Verbs
(Empty)	configmaps, endpoints, persistentvolumeclaims, pods, pods/attach, pods/exec, pods/portforward, pods/proxy, replicationcontrollers, replicationcontrollers/scale, secrets, serviceaccounts, services, services/proxy	create, delete, deletecollection, patch, update
(Empty)	pods/attach, pods/exec, pods/portforward, pods/proxy, secrets, services/proxy	get, list, watch
apps	daemonsets, deployments, deployments/rollback, deployments/scale, replicasets, replicasets/scale, statefulsets, statefulsets/scale	create, delete, deletecollection, patch, update
autoscaling	horizontalpodautoscalers	create, delete, deletecollection, patch, update
batch	cronjobs, jobs	create, delete, deletecollection, patch, update
extensions	daemonsets, deployments, deployments/rollback, deployments/scale, ingresses, networkpolicies, replicasets, replicasets/scale, replicationcontrollers/scale	create, delete, deletecollection, patch, update
networking.k8s.io	ingresses, networkpolicies	create, delete, deletecollection, patch, update
policy	poddisruptionbudgets	create, delete, deletecollection, patch, update

portainer-view

API Group	Resources	Verbs
(Empty)	bindings, componentstatuses, configmaps, endpoints, events, limitranges, namespaces, namespaces/status, persistentvolumeclaims, persistentvolumeclaims/status, pods, pods/log, pods/status, replicationcontrollers, replicationcontrollers/scale, replicationcontrollers/status, resourcequotas, resourcequotas/status, secrets, serviceaccounts, services, services/status	get, list, watch
apps	controllerrevisions, daemonsets, daemonsets/status, deployments, deployments/scale, deployments/status, replicasets, replicasets/scale, replicasets/status, statefulsets, statefulsets/scale, statefulsets/status	get, list, watch
autoscaling	horizontalpodautoscalers, horizontalpodautoscalers/status	get, list, watch
batch	cronjobs, cronjobs/status, jobs, jobs/status	get, list, watch
extensions	daemonsets, daemonsets/status, deployments, deployments/scale, deployments/status, ingresses, ingresses/status, networkpolicies, replicasets, replicasets/scale, replicasets/status, replicationcontrollers/scale	get, list, watch
networking.k8s.io	ingresses, ingresses/status, networkpolicies	get, list, watch
policy	poddisruptionbudgets, poddisruptionbudgets/status	get, list, watch

Portainer Access Restrictions

Function	Endpoint admin	Operator	Helpdesk	Standard User	Read-only User
Namespace Scope	All	All, EXCEPT System	All, EXCEPT System	Default + Assigned	Default + Assigned
Namespaces	RW	R	R	R	R
Namespace Details	RW	R	R	R	R
Namespace Access Management	RW
Applications	RW	R	R	RW	R
Application Details	RW	R	R	RW	R
Pod Delete	Yes	Yes
Application Console	RW	RW
Advanced Deployment	RW			RW
ConfigMaps & Secrets	RW	R	R	RW	R
ConfigMap & Secret Details	RW	RW	R	RW	R
Volumes	RW	R	R	RW	R
Volume Details	RW	R	R	RW	R
Cluster	RW	R	R
Cluster Node View	RW	R	R
Cluster Setup	RW
Application Error Details	R	R	R
Storage Class Disabled	R	R	R

Community Edition

The following tables cover the two roles available in Portainer Community Edition (CE). Note there is no Portainer access restriction in Portainer CE.

Portainer Role	Cluster Role Binding	Namespace Role Binding
Admin	(no restriction)	(no restriction)
User	portainer-cr-user	edit (default k8s role, only assigned namespaces)

portainer-cr-user

API Group	Resources	Verbs
(Empty)	namespaces, nodes	list
storage.k8s.io	storageclasses	list
networking.k8s.io	ingresses	list

15 KiB Raw Permalink Blame History