Kubernetes roles and bindings

Role-Based Access Control is only available in Portainer Business Edition.

When managing a Kubernetes environment with Portainer, the Role-Based Access Control (RBAC) configuration is based on two components:

  • Kubernetes' cluster roles and namespace roles (which restrict access to Kubernetes itself)

  • Portainer's authorization flags (which restrict access to Portainer's functionality)

The following tables provide a reference for how our Portainer roles map to capabilities within Kubernetes.

Role Allocations

Portainer RoleCluster Role BindingNamespace Role Binding

Environment Administrator

cluster-admin (k8s system)

N/A

Operator

portainer-view (all non-system namespaces)

User

portainer-edit, portainer-view (only assigned namespaces)

Helpdesk

portainer-view (all non-system namespaces)

Read-Only

portainer-view (only assigned namespaces)

Cluster Roles

portainer-basic

API GroupResourcesVerbs

(Empty)

namespaces, nodes

list

storage.k8s.io

storageclasses

list

networking.k8s.io

ingresses

list

portainer-helpdesk

API GroupResourcesVerbs

(Empty)

componentstatuses, endpoints, events, namespaces, nodes

get, list, watch

storage.k8s.io

storageclasses

get, list, watch

networking.k8s.io

ingresses

get, list, watch

portainer-operator

API GroupResourcesVerbs

(Empty)

configmaps, secrets

update

(Empty)

pods

delete

apps

deployments

patch

Namespace Roles

portainer-edit

API GroupResourcesVerbs

(Empty)

configmaps, endpoints, persistentvolumeclaims, pods, pods/attach, pods/exec, pods/portforward, pods/proxy, replicationcontrollers, replicationcontrollers/scale, secrets, serviceaccounts, services, services/proxy

create, delete, deletecollection, patch, update

(Empty)

pods/attach, pods/exec, pods/portforward, pods/proxy, secrets, services/proxy

get, list, watch

apps

daemonsets, deployments, deployments/rollback, deployments/scale, replicasets, replicasets/scale, statefulsets, statefulsets/scale

create, delete, deletecollection, patch, update

autoscaling

horizontalpodautoscalers

create, delete, deletecollection, patch, update

batch

cronjobs, jobs

create, delete, deletecollection, patch, update

extensions

daemonsets, deployments, deployments/rollback, deployments/scale, ingresses, networkpolicies, replicasets, replicasets/scale, replicationcontrollers/scale

create, delete, deletecollection, patch, update

networking.k8s.io

ingresses, networkpolicies

create, delete, deletecollection, patch, update

policy

poddisruptionbudgets

create, delete, deletecollection, patch, update

portainer-view

API GroupResourcesVerbs

(Empty)

bindings, componentstatuses, configmaps, endpoints, events, limitranges, namespaces, namespaces/status, persistentvolumeclaims, persistentvolumeclaims/status, pods, pods/log, pods/status, replicationcontrollers, replicationcontrollers/scale, replicationcontrollers/status, resourcequotas, resourcequotas/status, secrets, serviceaccounts, services, services/status

get, list, watch

apps

controllerrevisions, daemonsets, daemonsets/status, deployments, deployments/scale, deployments/status, replicasets, replicasets/scale, replicasets/status, statefulsets, statefulsets/scale, statefulsets/status

get, list, watch

autoscaling

horizontalpodautoscalers, horizontalpodautoscalers/status

get, list, watch

batch

cronjobs, cronjobs/status, jobs, jobs/status

get, list, watch

extensions

daemonsets, daemonsets/status, deployments, deployments/scale, deployments/status, ingresses, ingresses/status, networkpolicies, replicasets, replicasets/scale, replicasets/status, replicationcontrollers/scale

get, list, watch

networking.k8s.io

ingresses, ingresses/status, networkpolicies

get, list, watch

policy

poddisruptionbudgets, poddisruptionbudgets/status

get, list, watch

Portainer Access Restrictions

FunctionEndpoint adminOperatorHelpdeskStandard UserRead-only User

Namespace Scope

All

All, EXCEPT System

All, EXCEPT System

Default + Assigned

Default + Assigned

Namespaces

RW

R

R

R

R

Namespace Details

RW

R

R

R

R

Namespace Access Management

RW

Applications

RW

R

R

RW

R

Application Details

RW

R

R

RW

R

Pod Delete

Yes

Yes

Application Console

RW

RW

Advanced Deployment

RW

RW

ConfigMaps & Secrets

RW

R

R

RW

R

ConfigMap & Secret Details

RW

RW

R

RW

R

Volumes

RW

R

R

RW

R

Volume Details

RW

R

R

RW

R

Cluster

RW

R

R

Cluster Node View

RW

R

R

Cluster Setup

RW

Application Error Details

R

R

R

Storage Class Disabled

R

R

R

Last updated