Kubernetes roles and bindings
Role-Based Access Control is only available in Portainer Business Edition.
When managing a Kubernetes environment with Portainer, the Role-Based Access Control (RBAC) configuration is based on two components:
Kubernetes' cluster roles and namespace roles (which restrict access to Kubernetes itself)
Portainer's authorization flags (which restrict access to Portainer's functionality)
The following tables provide a reference for how our Portainer roles map to capabilities within Kubernetes.
Role Allocations
Environment Administrator
cluster-admin (k8s system)
N/A
Cluster Roles
portainer-basic
(Empty)
namespaces, nodes
get, list
storage.k8s.io
storageclasses
list
metrics.k8s.io
namespaces, pods, nodes
get, list
networking.k8s.io
ingressclasses
list
portainer-helpdesk
(Empty)
componentstatuses, endpoints, events, namespaces, nodes
get, list, watch
storage.k8s.io
storageclasses
get, list, watch
networking.k8s.io
ingresses
get, watch
networking.k8s.io
ingressclasses
list
metrics.k8s.io
pods, nodes, nodes/stats, namespace
get, list, watch
portainer-operator
(Empty)
configmaps
update
(Empty)
pods
delete
apps
daemonsets, deployments, statefulsets
patch
metrics.k8s.io
pods, nodes, nodes/stats, namespaces
get, list, watch
Namespace Roles
portainer-edit
(Empty)
configmaps, endpoints, persistentvolumeclaims, pods, pods/attach, pods/exec, pods/portforward, pods/proxy, replicationcontrollers, replicationcontrollers/scale, secrets, serviceaccounts, services, services/proxy
create, delete, deletecollection, patch, update
(Empty)
pods/attach, pods/exec, pods/portforward, pods/proxy, secrets, services/proxy
get, list, watch
apps
daemonsets, deployments, deployments/rollback, deployments/scale, replicasets, replicasets/scale, statefulsets, statefulsets/scale
create, delete, deletecollection, patch, update
autoscaling
horizontalpodautoscalers
create, delete, deletecollection, patch, update
batch
cronjobs, jobs
create, delete, deletecollection, patch, update
extensions
daemonsets, deployments, deployments/rollback, deployments/scale, ingresses, networkpolicies, replicasets, replicasets/scale, replicationcontrollers/scale
create, delete, deletecollection, patch, update
networking.k8s.io
ingresses, networkpolicies
create, delete, deletecollection, patch, update
policy
poddisruptionbudgets
create, delete, deletecollection, patch, update
portainer-view
(Empty)
bindings, componentstatuses, configmaps, endpoints, events, limitranges, namespaces, namespaces/status, persistentvolumeclaims, persistentvolumeclaims/status, pods, pods/log, pods/status, replicationcontrollers, replicationcontrollers/scale, replicationcontrollers/status, resourcequotas, resourcequotas/status, secrets, serviceaccounts, services, services/status
get, list, watch
apps
controllerrevisions, daemonsets, daemonsets/status, deployments, deployments/scale, deployments/status, replicasets, replicasets/scale, replicasets/status, statefulsets, statefulsets/scale, statefulsets/status
get, list, watch
autoscaling
horizontalpodautoscalers, horizontalpodautoscalers/status
get, list, watch
batch
cronjobs, cronjobs/status, jobs, jobs/status
get, list, watch
extensions
daemonsets, daemonsets/status, deployments, deployments/scale, deployments/status, ingresses, ingresses/status, networkpolicies, replicasets, replicasets/scale, replicasets/status, replicationcontrollers/scale
get, list, watch
networking.k8s.io
ingresses, ingresses/status, networkpolicies
get, list, watch
policy
poddisruptionbudgets, poddisruptionbudgets/status
get, list, watch
Portainer Access Restrictions
Namespace Scope
All
All, EXCEPT System
All, EXCEPT System
Default + Assigned
Default + Assigned
Namespaces
RW
R
R
R
R
Namespace Details
RW
R
R
R
R
Namespace Access Management
RW
Applications
RW
R
R
RW
R
Application Details
RW
R
R
RW
R
Pod Delete
Yes
Yes
Application Console
RW
RW
Advanced Deployment
RW
RW
ConfigMaps & Secrets
RW
R
R
RW
R
ConfigMap & Secret Details
RW
RW
R
RW
R
Volumes
RW
R
R
RW
R
Volume Details
RW
R
R
RW
R
Cluster
RW
R
R
Cluster Node View
RW
R
R
Cluster Setup
RW
Application Error Details
R
R
R
Storage Class Disabled
R
R
R
Community Edition
The following tables cover the two roles available in Portainer Community Edition (CE). Note there is no Portainer access restriction in Portainer CE.
Admin
(no restriction)
(no restriction)
portainer-cr-user
(Empty)
namespaces, nodes
list
storage.k8s.io
storageclasses
list
networking.k8s.io
ingresses
list