Kubernetes Permissions

Kubernetes Cluster Integration Permissions #

Overview #

When you install Stackbooster’s agent in your EKS cluster, it is granted specific permissions necessary to collect information and manage resources within your Kubernetes environment. This document outlines the permissions granted to the Stackbooster agent and the types of data collected. These permissions are grouped by their purpose:

1. API Access #

The agent has the ability to access the Kubernetes API endpoints, which is essential for retrieving cluster-wide information.

  • Permissions:
    • get, list, watch
    • Resources: /api, /api/*, /apis, /apis/*

2. Resource Management #

The agent is granted permissions to manage various Kubernetes resources, including pods, nodes, services, and more.

  • Pods and Nodes:

    • Permissions: get, list, patch, watch, create, delete, update
    • Resources: pods, nodes, replicationcontrollers, persistentvolumeclaims, persistentvolumes, services, namespaces, events

  • Deployments and StatefulSets:

    • Permissions: get, list, watch
    • Resources: deployments, replicasets, daemonsets, statefulsets

  • Storage Management:

    • Permissions: get, list, watch
    • Resources: storageclasses, csinodes

  • Batch Jobs:

    • Permissions: get, list, watch
    • Resources: jobs, cronjobs

  • Autoscaling:

    • Permissions: get, list, watch
    • Resources: horizontalpodautoscalers

  • Leases and Coordination:

    • Permissions: create, get, list, watch, update
    • Resources: leases

  • Metrics:

    • Permissions: get, list
    • Resources: pods in metrics.k8s.io

  • Policy:

    • Permissions: get, list, watch
    • Resources: poddisruptionbudgets

  • Custom Resources:

    • Permissions: get, list, watch
    • Resources: sbawsnodetemplates in stackbooster.io

3. Stackbooster Scheduler Permissions #

The agent has permissions to manage the scheduling of pods and nodes, including managing events and other resources in coordination with the scheduler plugins and Gatekeeper policy controller.

  • Scheduler and Endpoints:

    • Permissions: create, get, list, watch, update
    • Resources: namespaces, events, leases, endpoints, nodes, pods, bindings, pods/binding, pods/status, replicationcontrollers, services, replicasets, statefulsets, poddisruptionbudgets, persistentvolumeclaims, persistentvolumes, tokenreviews, subjectaccessreviews, csinodes, storageclasses, csidrivers, csistoragecapacities, noderesourcetopologies, podgroups, elasticquotas, podgroups/status, elasticquotas/status

  • Scheduler Plugins:

    • Permissions: get, list, watch, create, delete, update, patch
    • Resources: pods, events, nodes, noderesourcetopologies, podgroups, elasticquotas, podgroups/status, elasticquotas/status

  • Gatekeeper:

    • Permissions: create, delete, get, list, patch, update, watch
    • Resources: events, customresourcedefinitions, configs, configs/status, constraints, providers, mutations, podsecuritypolicies, status, constrainttemplates, constrainttemplates/finalizers, constrainttemplates/status, validatingwebhookconfigurations, mutatingwebhookconfigurations