Kubernetes roles and bindings
Role-Based Access Control is only available in Portainer Business Edition.
When managing a Kubernetes environment with Portainer, the Role-Based Access Control (RBAC) configuration is based on two components:
Kubernetes' cluster roles and namespace roles (which restrict access to Kubernetes itself)
Portainer's authorization flags (which restrict access to Portainer's functionality)
The following tables provide a reference for how our Portainer roles map to capabilities within Kubernetes.
Role Allocations
Portainer Role | Cluster Role Binding | Namespace Role Binding |
---|---|---|
Environment Administrator | cluster-admin (k8s system) | N/A |
Operator | portainer-view (all non-system namespaces) | |
User | portainer-edit, portainer-view (only assigned namespaces) | |
Helpdesk | portainer-view (all non-system namespaces) | |
Read-Only | portainer-view (only assigned namespaces) |
Cluster Roles
portainer-basic
API Group | Resources | Verbs |
---|---|---|
(Empty) | namespaces, nodes | get, list |
storage.k8s.io | storageclasses | list |
metrics.k8s.io | namespaces, pods, nodes | get, list |
networking.k8s.io | ingressclasses | list |
portainer-helpdesk
API Group | Resources | Verbs |
---|---|---|
(Empty) | componentstatuses, endpoints, events, namespaces, nodes | get, list, watch |
storage.k8s.io | storageclasses | get, list, watch |
networking.k8s.io | ingresses | get, watch |
networking.k8s.io | ingressclasses | list |
metrics.k8s.io | pods, nodes, nodes/stats, namespace | get, list, watch |
portainer-operator
API Group | Resources | Verbs |
---|---|---|
(Empty) | configmaps | update |
(Empty) | pods | delete |
apps | daemonsets, deployments, statefulsets | patch |
metrics.k8s.io | pods, nodes, nodes/stats, namespaces | get, list, watch |
Namespace Roles
portainer-edit
API Group | Resources | Verbs |
---|---|---|
(Empty) | configmaps, endpoints, persistentvolumeclaims, pods, pods/attach, pods/exec, pods/portforward, pods/proxy, replicationcontrollers, replicationcontrollers/scale, secrets, serviceaccounts, services, services/proxy | create, delete, deletecollection, patch, update |
(Empty) | pods/attach, pods/exec, pods/portforward, pods/proxy, secrets, services/proxy | get, list, watch |
apps | daemonsets, deployments, deployments/rollback, deployments/scale, replicasets, replicasets/scale, statefulsets, statefulsets/scale | create, delete, deletecollection, patch, update |
autoscaling | horizontalpodautoscalers | create, delete, deletecollection, patch, update |
batch | cronjobs, jobs | create, delete, deletecollection, patch, update |
extensions | daemonsets, deployments, deployments/rollback, deployments/scale, ingresses, networkpolicies, replicasets, replicasets/scale, replicationcontrollers/scale | create, delete, deletecollection, patch, update |
networking.k8s.io | ingresses, networkpolicies | create, delete, deletecollection, patch, update |
policy | poddisruptionbudgets | create, delete, deletecollection, patch, update |
portainer-view
API Group | Resources | Verbs |
---|---|---|
(Empty) | bindings, componentstatuses, configmaps, endpoints, events, limitranges, namespaces, namespaces/status, persistentvolumeclaims, persistentvolumeclaims/status, pods, pods/log, pods/status, replicationcontrollers, replicationcontrollers/scale, replicationcontrollers/status, resourcequotas, resourcequotas/status, secrets, serviceaccounts, services, services/status | get, list, watch |
apps | controllerrevisions, daemonsets, daemonsets/status, deployments, deployments/scale, deployments/status, replicasets, replicasets/scale, replicasets/status, statefulsets, statefulsets/scale, statefulsets/status | get, list, watch |
autoscaling | horizontalpodautoscalers, horizontalpodautoscalers/status | get, list, watch |
batch | cronjobs, cronjobs/status, jobs, jobs/status | get, list, watch |
extensions | daemonsets, daemonsets/status, deployments, deployments/scale, deployments/status, ingresses, ingresses/status, networkpolicies, replicasets, replicasets/scale, replicasets/status, replicationcontrollers/scale | get, list, watch |
networking.k8s.io | ingresses, ingresses/status, networkpolicies | get, list, watch |
policy | poddisruptionbudgets, poddisruptionbudgets/status | get, list, watch |
Portainer Access Restrictions
Function | Endpoint admin | Operator | Helpdesk | Standard User | Read-only User |
---|---|---|---|---|---|
Namespace Scope | All | All, EXCEPT System | All, EXCEPT System | Default + Assigned | Default + Assigned |
Namespaces | RW | R | R | R | R |
Namespace Details | RW | R | R | R | R |
Namespace Access Management | RW | ||||
Applications | RW | R | R | RW | R |
Application Details | RW | R | R | RW | R |
Pod Delete | Yes | Yes | |||
Application Console | RW | RW | |||
Advanced Deployment | RW | RW | |||
ConfigMaps & Secrets | RW | R | R | RW | R |
ConfigMap & Secret Details | RW | RW | R | RW | R |
Volumes | RW | R | R | RW | R |
Volume Details | RW | R | R | RW | R |
Cluster | RW | R | R | ||
Cluster Node View | RW | R | R | ||
Cluster Setup | RW | ||||
Application Error Details | R | R | R | ||
Storage Class Disabled | R | R | R |
Community Edition
The following tables cover the two roles available in Portainer Community Edition (CE). Note there is no Portainer access restriction in Portainer CE.
Portainer Role | Cluster Role Binding | Namespace Role Binding |
---|---|---|
Admin | (no restriction) | (no restriction) |
User | edit (default k8s role, only assigned namespaces) |
portainer-cr-user
API Group | Resources | Verbs |
---|---|---|
(Empty) | namespaces, nodes | list |
storage.k8s.io | storageclasses | list |
networking.k8s.io | ingresses | list |