Kubernetes roles and bindings

Role-Based Access Control is only available in Portainer Business Edition.

When managing a Kubernetes environment with Portainer, the Role-Based Access Control (RBAC) configuration is based on two components:

  • Kubernetes' cluster roles and namespace roles (which restrict access to Kubernetes itself)

  • Portainer's authorization flags (which restrict access to Portainer's functionality)

The following tables provide a reference for how our Portainer roles map to capabilities within Kubernetes.

Role Allocations

Portainer RoleCluster Role BindingNamespace Role Binding

Environment Administrator

cluster-admin (k8s system)

N/A

Operator

portainer-view (all non-system namespaces)

User

portainer-edit, portainer-view (only assigned namespaces)

Helpdesk

portainer-view (all non-system namespaces)

Read-Only

portainer-view (only assigned namespaces)

Cluster Roles

portainer-basic

API GroupResourcesVerbs

(Empty)

namespaces, nodes

get, list

storage.k8s.io

storageclasses

list

metrics.k8s.io

namespaces, pods, nodes

get, list

networking.k8s.io

ingressclasses

list

portainer-helpdesk

API GroupResourcesVerbs

(Empty)

componentstatuses, endpoints, events, namespaces, nodes

get, list, watch

storage.k8s.io

storageclasses

get, list, watch

networking.k8s.io

ingresses

get, watch

networking.k8s.io

ingressclasses

list

metrics.k8s.io

pods, nodes, nodes/stats, namespace

get, list, watch

portainer-operator

API GroupResourcesVerbs

(Empty)

configmaps

update

(Empty)

pods

delete

apps

daemonsets, deployments, statefulsets

patch

metrics.k8s.io

pods, nodes, nodes/stats, namespaces

get, list, watch

Namespace Roles

portainer-edit

API GroupResourcesVerbs

(Empty)

configmaps, endpoints, persistentvolumeclaims, pods, pods/attach, pods/exec, pods/portforward, pods/proxy, replicationcontrollers, replicationcontrollers/scale, secrets, serviceaccounts, services, services/proxy

create, delete, deletecollection, patch, update

(Empty)

pods/attach, pods/exec, pods/portforward, pods/proxy, secrets, services/proxy

get, list, watch

apps

daemonsets, deployments, deployments/rollback, deployments/scale, replicasets, replicasets/scale, statefulsets, statefulsets/scale

create, delete, deletecollection, patch, update

autoscaling

horizontalpodautoscalers

create, delete, deletecollection, patch, update

batch

cronjobs, jobs

create, delete, deletecollection, patch, update

extensions

daemonsets, deployments, deployments/rollback, deployments/scale, ingresses, networkpolicies, replicasets, replicasets/scale, replicationcontrollers/scale

create, delete, deletecollection, patch, update

networking.k8s.io

ingresses, networkpolicies

create, delete, deletecollection, patch, update

policy

poddisruptionbudgets

create, delete, deletecollection, patch, update

portainer-view

API GroupResourcesVerbs

(Empty)

bindings, componentstatuses, configmaps, endpoints, events, limitranges, namespaces, namespaces/status, persistentvolumeclaims, persistentvolumeclaims/status, pods, pods/log, pods/status, replicationcontrollers, replicationcontrollers/scale, replicationcontrollers/status, resourcequotas, resourcequotas/status, secrets, serviceaccounts, services, services/status

get, list, watch

apps

controllerrevisions, daemonsets, daemonsets/status, deployments, deployments/scale, deployments/status, replicasets, replicasets/scale, replicasets/status, statefulsets, statefulsets/scale, statefulsets/status

get, list, watch

autoscaling

horizontalpodautoscalers, horizontalpodautoscalers/status

get, list, watch

batch

cronjobs, cronjobs/status, jobs, jobs/status

get, list, watch

extensions

daemonsets, daemonsets/status, deployments, deployments/scale, deployments/status, ingresses, ingresses/status, networkpolicies, replicasets, replicasets/scale, replicasets/status, replicationcontrollers/scale

get, list, watch

networking.k8s.io

ingresses, ingresses/status, networkpolicies

get, list, watch

policy

poddisruptionbudgets, poddisruptionbudgets/status

get, list, watch

Portainer Access Restrictions

FunctionEndpoint adminOperatorHelpdeskStandard UserRead-only User

Namespace Scope

All

All, EXCEPT System

All, EXCEPT System

Default + Assigned

Default + Assigned

Namespaces

RW

R

R

R

R

Namespace Details

RW

R

R

R

R

Namespace Access Management

RW

Applications

RW

R

R

RW

R

Application Details

RW

R

R

RW

R

Pod Delete

Yes

Yes

Application Console

RW

RW

Advanced Deployment

RW

RW

ConfigMaps & Secrets

RW

R

R

RW

R

ConfigMap & Secret Details

RW

RW

R

RW

R

Volumes

RW

R

R

RW

R

Volume Details

RW

R

R

RW

R

Cluster

RW

R

R

Cluster Node View

RW

R

R

Cluster Setup

RW

Application Error Details

R

R

R

Storage Class Disabled

R

R

R

Community Edition

The following tables cover the two roles available in Portainer Community Edition (CE). Note there is no Portainer access restriction in Portainer CE.

Portainer RoleCluster Role BindingNamespace Role Binding

Admin

(no restriction)

(no restriction)

User

edit (default k8s role, only assigned namespaces)

portainer-cr-user

API GroupResourcesVerbs

(Empty)

namespaces, nodes

list

storage.k8s.io

storageclasses

list

networking.k8s.io

ingresses

list