Kubernetes roles and bindings
Role-Based Access Control is only available in Portainer Business Edition.
When managing a Kubernetes environment with Portainer, the Role-Based Access Control (RBAC) configuration is based on two components:
Kubernetes' cluster roles and namespace roles (which restrict access to Kubernetes itself)
Portainer's authorization flags (which restrict access to Portainer's functionality)
The following tables provide a reference for how our Portainer roles map to capabilities within Kubernetes.
Role Allocations
Environment Administrator
cluster-admin (k8s system)
N/A
Operator
User
Helpdesk
Read-Only
Cluster Roles
portainer-basic
(Empty)
namespaces, nodes
list
storage.k8s.io
storageclasses
list
networking.k8s.io
ingresses
list
portainer-helpdesk
(Empty)
componentstatuses, endpoints, events, namespaces, nodes
get, list, watch
storage.k8s.io
storageclasses
get, list, watch
networking.k8s.io
ingresses
get, list, watch
portainer-operator
(Empty)
configmaps, secrets
update
(Empty)
pods
delete
apps
deployments
patch
Namespace Roles
portainer-edit
(Empty)
configmaps, endpoints, persistentvolumeclaims, pods, pods/attach, pods/exec, pods/portforward, pods/proxy, replicationcontrollers, replicationcontrollers/scale, secrets, serviceaccounts, services, services/proxy
create, delete, deletecollection, patch, update
(Empty)
pods/attach, pods/exec, pods/portforward, pods/proxy, secrets, services/proxy
get, list, watch
apps
daemonsets, deployments, deployments/rollback, deployments/scale, replicasets, replicasets/scale, statefulsets, statefulsets/scale
create, delete, deletecollection, patch, update
autoscaling
horizontalpodautoscalers
create, delete, deletecollection, patch, update
batch
cronjobs, jobs
create, delete, deletecollection, patch, update
extensions
daemonsets, deployments, deployments/rollback, deployments/scale, ingresses, networkpolicies, replicasets, replicasets/scale, replicationcontrollers/scale
create, delete, deletecollection, patch, update
networking.k8s.io
ingresses, networkpolicies
create, delete, deletecollection, patch, update
policy
poddisruptionbudgets
create, delete, deletecollection, patch, update
portainer-view
(Empty)
bindings, componentstatuses, configmaps, endpoints, events, limitranges, namespaces, namespaces/status, persistentvolumeclaims, persistentvolumeclaims/status, pods, pods/log, pods/status, replicationcontrollers, replicationcontrollers/scale, replicationcontrollers/status, resourcequotas, resourcequotas/status, secrets, serviceaccounts, services, services/status
get, list, watch
apps
controllerrevisions, daemonsets, daemonsets/status, deployments, deployments/scale, deployments/status, replicasets, replicasets/scale, replicasets/status, statefulsets, statefulsets/scale, statefulsets/status
get, list, watch
autoscaling
horizontalpodautoscalers, horizontalpodautoscalers/status
get, list, watch
batch
cronjobs, cronjobs/status, jobs, jobs/status
get, list, watch
extensions
daemonsets, daemonsets/status, deployments, deployments/scale, deployments/status, ingresses, ingresses/status, networkpolicies, replicasets, replicasets/scale, replicasets/status, replicationcontrollers/scale
get, list, watch
networking.k8s.io
ingresses, ingresses/status, networkpolicies
get, list, watch
policy
poddisruptionbudgets, poddisruptionbudgets/status
get, list, watch
Portainer Access Restrictions
Namespace Scope
All
All, EXCEPT System
All, EXCEPT System
Default + Assigned
Default + Assigned
Namespaces
RW
R
R
R
R
Namespace Details
RW
R
R
R
R
Namespace Access Management
RW
Applications
RW
R
R
RW
R
Application Details
RW
R
R
RW
R
Pod Delete
Yes
Yes
Application Console
RW
RW
Advanced Deployment
RW
RW
ConfigMaps & Secrets
RW
R
R
RW
R
ConfigMap & Secret Details
RW
RW
R
RW
R
Volumes
RW
R
R
RW
R
Volume Details
RW
R
R
RW
R
Cluster
RW
R
R
Cluster Node View
RW
R
R
Cluster Setup
RW
Application Error Details
R
R
R
Storage Class Disabled
R
R
R
Last updated