Role-Based Access Control is only available in Portainer Business Edition.
When managing a Kubernetes environment with Portainer, the Role-Based Access Control (RBAC) configuration is based on two components:
Kubernetes' cluster roles and namespace roles (which restrict access to Kubernetes itself)
Portainer's authorization flags (which restrict access to Portainer's functionality)
The following tables provide a reference for how our Portainer roles map to capabilities within Kubernetes.
Portainer Role | Cluster Role Binding | Namespace Role Binding |
---|---|---|
API Group | Resources | Verbs |
---|---|---|
The following tables cover the two roles available in Portainer Community Edition (CE). Note there is no Portainer access restriction in Portainer CE.
API Group | Resources | Verbs |
---|---|---|
API Group | Resources | Verbs |
---|---|---|
API Group | Resources | Verbs |
---|---|---|
API Group | Resources | Verbs |
---|---|---|
Function | Endpoint admin | Operator | Helpdesk | Standard User | Read-only User |
---|---|---|---|---|---|
Portainer Role | Cluster Role Binding | Namespace Role Binding |
---|---|---|
API Group | Resources | Verbs |
---|---|---|
Environment Administrator
cluster-admin (k8s system)
N/A
Operator
portainer-view (all non-system namespaces)
User
portainer-edit, portainer-view (only assigned namespaces)
Helpdesk
portainer-view (all non-system namespaces)
Read-Only
portainer-view (only assigned namespaces)
(Empty)
namespaces, nodes
get, list
storage.k8s.io
storageclasses
list
metrics.k8s.io
namespaces, pods, nodes
get, list
networking.k8s.io
ingressclasses
list
(Empty)
componentstatuses, endpoints, events, namespaces, nodes
get, list, watch
storage.k8s.io
storageclasses
get, list, watch
networking.k8s.io
ingresses
get, watch
networking.k8s.io
ingressclasses
list
metrics.k8s.io
pods, nodes, nodes/stats, namespace
get, list, watch
(Empty)
configmaps
update
(Empty)
pods
delete
apps
daemonsets, deployments, statefulsets
patch
metrics.k8s.io
pods, nodes, nodes/stats, namespaces
get, list, watch
(Empty)
configmaps, endpoints, persistentvolumeclaims, pods, pods/attach, pods/exec, pods/portforward, pods/proxy, replicationcontrollers, replicationcontrollers/scale, secrets, serviceaccounts, services, services/proxy
create, delete, deletecollection, patch, update
(Empty)
pods/attach, pods/exec, pods/portforward, pods/proxy, secrets, services/proxy
get, list, watch
apps
daemonsets, deployments, deployments/rollback, deployments/scale, replicasets, replicasets/scale, statefulsets, statefulsets/scale
create, delete, deletecollection, patch, update
autoscaling
horizontalpodautoscalers
create, delete, deletecollection, patch, update
batch
cronjobs, jobs
create, delete, deletecollection, patch, update
extensions
daemonsets, deployments, deployments/rollback, deployments/scale, ingresses, networkpolicies, replicasets, replicasets/scale, replicationcontrollers/scale
create, delete, deletecollection, patch, update
networking.k8s.io