Role-Based Access Control is only available in Portainer Business Edition.
When managing a Kubernetes environment with Portainer, the Role-Based Access Control (RBAC) configuration is based on two components:
Kubernetes' cluster roles and namespace roles (which restrict access to Kubernetes itself)
Portainer's authorization flags (which restrict access to Portainer's functionality)
The following tables provide a reference for how our Portainer roles map to capabilities within Kubernetes.
| Portainer Role | Cluster Role Binding | Namespace Role Binding |
|---|---|---|
| API Group | Resources | Verbs |
|---|---|---|
The following tables cover the two roles available in Portainer Community Edition (CE). Note there is no Portainer access restriction in Portainer CE.
| API Group | Resources | Verbs |
|---|---|---|
| API Group | Resources | Verbs |
|---|---|---|
| API Group | Resources | Verbs |
|---|---|---|
| API Group | Resources | Verbs |
|---|---|---|
| Function | Endpoint admin | Operator | Helpdesk | Standard User | Read-only User |
|---|---|---|---|---|---|
| Portainer Role | Cluster Role Binding | Namespace Role Binding |
|---|---|---|
| API Group | Resources | Verbs |
|---|---|---|
Environment Administrator
cluster-admin (k8s system)
N/A
Operator
portainer-view (all non-system namespaces)
User
portainer-edit, portainer-view (only assigned namespaces)
Helpdesk
portainer-view (all non-system namespaces)
Read-Only
portainer-view (only assigned namespaces)
(Empty)
namespaces, nodes
get, list
storage.k8s.io
storageclasses
list
metrics.k8s.io
namespaces, pods, nodes
get, list
networking.k8s.io
ingressclasses
list
(Empty)
componentstatuses, endpoints, events, namespaces, nodes
get, list, watch
storage.k8s.io
storageclasses
get, list, watch
networking.k8s.io
ingresses
get, watch
networking.k8s.io
ingressclasses
list
metrics.k8s.io
pods, nodes, nodes/stats, namespace
get, list, watch
(Empty)
configmaps
update
(Empty)
pods
delete
apps
daemonsets, deployments, statefulsets
patch
metrics.k8s.io
pods, nodes, nodes/stats, namespaces
get, list, watch
(Empty)
configmaps, endpoints, persistentvolumeclaims, pods, pods/attach, pods/exec, pods/portforward, pods/proxy, replicationcontrollers, replicationcontrollers/scale, secrets, serviceaccounts, services, services/proxy
create, delete, deletecollection, patch, update
(Empty)
pods/attach, pods/exec, pods/portforward, pods/proxy, secrets, services/proxy
get, list, watch
apps
daemonsets, deployments, deployments/rollback, deployments/scale, replicasets, replicasets/scale, statefulsets, statefulsets/scale
create, delete, deletecollection, patch, update
autoscaling
horizontalpodautoscalers
create, delete, deletecollection, patch, update
batch
cronjobs, jobs
create, delete, deletecollection, patch, update
extensions
daemonsets, deployments, deployments/rollback, deployments/scale, ingresses, networkpolicies, replicasets, replicasets/scale, replicationcontrollers/scale
create, delete, deletecollection, patch, update
networking.k8s.io
ingresses, networkpolicies
create, delete, deletecollection, patch, update
policy
poddisruptionbudgets
create, delete, deletecollection, patch, update
(Empty)
bindings, componentstatuses, configmaps, endpoints, events, limitranges, namespaces, namespaces/status, persistentvolumeclaims, persistentvolumeclaims/status, pods, pods/log, pods/status, replicationcontrollers, replicationcontrollers/scale, replicationcontrollers/status, resourcequotas, resourcequotas/status, secrets, serviceaccounts, services, services/status
get, list, watch
apps
controllerrevisions, daemonsets, daemonsets/status, deployments, deployments/scale, deployments/status, replicasets, replicasets/scale, replicasets/status, statefulsets, statefulsets/scale, statefulsets/status
get, list, watch
autoscaling
horizontalpodautoscalers, horizontalpodautoscalers/status
get, list, watch
batch
cronjobs, cronjobs/status, jobs, jobs/status
get, list, watch
extensions
daemonsets, daemonsets/status, deployments, deployments/scale, deployments/status, ingresses, ingresses/status, networkpolicies, replicasets, replicasets/scale, replicasets/status, replicationcontrollers/scale
get, list, watch
networking.k8s.io
ingresses, ingresses/status, networkpolicies
get, list, watch
policy
poddisruptionbudgets, poddisruptionbudgets/status
get, list, watch
Namespace Scope
All
All, EXCEPT System
All, EXCEPT System
Default + Assigned
Default + Assigned
Namespaces
RW
R
R
R
R
Namespace Details
RW
R
R
R
R
Namespace Access Management
RW
Applications
RW
R
R
RW
R
Application Details
RW
R
R
RW
R
Pod Delete
Yes
Yes
Application Console
RW
RW
Advanced Deployment
RW
RW
ConfigMaps & Secrets
RW
R
R
RW
R
ConfigMap & Secret Details
RW
RW
R
RW
R
Volumes
RW
R
R
RW
R
Volume Details
RW
R
R
RW
R
Cluster
RW
R
R
Cluster Node View
RW
R
R
Cluster Setup
RW
Application Error Details
R
R
R
Storage Class Disabled
R
R
R
Admin
(no restriction)
(no restriction)
User
edit (default k8s role, only assigned namespaces)
(Empty)
namespaces, nodes
list
storage.k8s.io
storageclasses
list
networking.k8s.io
ingresses
list
