# Kubernetes roles and bindings
{% hint style="info" %}
Role-Based Access Control is only available in Portainer Business Edition.
{% endhint %}
When managing a Kubernetes environment with Portainer, the Role-Based Access Control (RBAC) configuration is based on two components:
* Kubernetes' cluster roles and namespace roles (which restrict access to Kubernetes itself)
* Portainer's authorization flags (which [restrict access](#portainer-access-restrictions) to Portainer's functionality)
The following tables provide a reference for how our Portainer roles map to capabilities within Kubernetes.
## Role Allocations
| Portainer Role | Cluster Role Binding | Namespace Role Binding |
| ------------------------- | ------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------- |
| Environment Administrator | cluster-admin (k8s system) | N/A |
| Operator | [portainer-operator](#portainer-operator), [portainer-helpdesk](#portainer-helpdesk) | [portainer-view](#portainer-view) (all non-system namespaces) |
| User | [portainer-basic](#portainer-basic) | [portainer-edit](#portainer-edit), [portainer-view](#portainer-view) (only assigned namespaces) |
| Helpdesk | [portainer-helpdesk](#portainer-helpdesk) | [portainer-view](#portainer-view) (all non-system namespaces) |
| Read-Only | [portainer-basic](#portainer-basic) | [portainer-view](#portainer-view) (only assigned namespaces) |
## Cluster Roles
### portainer-basic
| API Group | Resources | Verbs |
| ----------------- | ----------------------- | --------- |
| (Empty) | namespaces, nodes | get, list |
| storage.k8s.io | storageclasses | list |
| metrics.k8s.io | namespaces, pods, nodes | get, list |
| networking.k8s.io | ingressclasses | list |
### portainer-helpdesk
| API Group | Resources | Verbs |
| ----------------- | ------------------------------------------------------- | ---------------- |
| (Empty) | componentstatuses, endpoints, events, namespaces, nodes | get, list, watch |
| storage.k8s.io | storageclasses | get, list, watch |
| networking.k8s.io | ingresses | get, watch |
| networking.k8s.io | ingressclasses | list |
| metrics.k8s.io | pods, nodes, nodes/stats, namespace | get, list, watch |
### portainer-operator
| API Group | Resources | Verbs |
| -------------- | ------------------------------------- | ---------------- |
| (Empty) | configmaps | update |
| (Empty) | pods | delete |
| apps | daemonsets, deployments, statefulsets | patch |
| metrics.k8s.io | pods, nodes, nodes/stats, namespaces | get, list, watch |
## Namespace Roles
### portainer-edit
| API Group | Resources | Verbs |
| ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------- |
| (Empty) | configmaps, endpoints, persistentvolumeclaims, pods, pods/attach, pods/exec, pods/portforward, pods/proxy, replicationcontrollers, replicationcontrollers/scale, secrets, serviceaccounts, services, services/proxy | create, delete, deletecollection, patch, update |
| (Empty) | pods/attach, pods/exec, pods/portforward, pods/proxy, secrets, services/proxy | get, list, watch |
| apps | daemonsets, deployments, deployments/rollback, deployments/scale, replicasets, replicasets/scale, statefulsets, statefulsets/scale | create, delete, deletecollection, patch, update |
| autoscaling | horizontalpodautoscalers | create, delete, deletecollection, patch, update |
| batch | cronjobs, jobs | create, delete, deletecollection, patch, update |
| extensions | daemonsets, deployments, deployments/rollback, deployments/scale, ingresses, networkpolicies, replicasets, replicasets/scale, replicationcontrollers/scale | create, delete, deletecollection, patch, update |
| networking.k8s.io | ingresses, networkpolicies | create, delete, deletecollection, patch, update |
| policy | poddisruptionbudgets | create, delete, deletecollection, patch, update |
### portainer-view
| API Group | Resources | Verbs |
| ----------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- |
| (Empty) | bindings, componentstatuses, configmaps, endpoints, events, limitranges, namespaces, namespaces/status, persistentvolumeclaims, persistentvolumeclaims/status, pods, pods/log, pods/status, replicationcontrollers, replicationcontrollers/scale, replicationcontrollers/status, resourcequotas, resourcequotas/status, secrets, serviceaccounts, services, services/status | get, list, watch |
| apps | controllerrevisions, daemonsets, daemonsets/status, deployments, deployments/scale, deployments/status, replicasets, replicasets/scale, replicasets/status, statefulsets, statefulsets/scale, statefulsets/status | get, list, watch |
| autoscaling | horizontalpodautoscalers, horizontalpodautoscalers/status | get, list, watch |
| batch | cronjobs, cronjobs/status, jobs, jobs/status | get, list, watch |
| extensions | daemonsets, daemonsets/status, deployments, deployments/scale, deployments/status, ingresses, ingresses/status, networkpolicies, replicasets, replicasets/scale, replicasets/status, replicationcontrollers/scale | get, list, watch |
| networking.k8s.io | ingresses, ingresses/status, networkpolicies | get, list, watch |
| policy | poddisruptionbudgets, poddisruptionbudgets/status | get, list, watch |
## Portainer Access Restrictions
| Function | Endpoint admin | Operator | Helpdesk | Standard User | Read-only User |
| --------------------------- | -------------- | ------------------ | ------------------ | ------------------ | ------------------ |
| Namespace Scope | All | All, EXCEPT System | All, EXCEPT System | Default + Assigned | Default + Assigned |
| Namespaces | RW | R | R | R | R |
| Namespace Details | RW | R | R | R | R |
| Namespace Access Management | RW | | | | |
| Applications | RW | R | R | RW | R |
| Application Details | RW | R | R | RW | R |
| Pod Delete | Yes | Yes | | | |
| Application Console | RW | RW | | | |
| Advanced Deployment | RW | | | RW | |
| ConfigMaps & Secrets | RW | R | R | RW | R |
| ConfigMap & Secret Details | RW | RW | R | RW | R |
| Volumes | RW | R | R | RW | R |
| Volume Details | RW | R | R | RW | R |
| Cluster | RW | R | R | | |
| Cluster Node View | RW | R | R | | |
| Cluster Setup | RW | | | | |
| Application Error Details | R | R | R | | |
| Storage Class Disabled | R | R | R | | |
## Community Edition
The following tables cover the two roles available in Portainer Community Edition (CE). Note there is no Portainer access restriction in Portainer CE.
| Portainer Role | Cluster Role Binding | Namespace Role Binding |
| -------------- | --------------------------------------- | ------------------------------------------------- |
| Admin | (no restriction) | (no restriction) |
| User | [portainer-cr-user](#portainer-cr-user) | edit (default k8s role, only assigned namespaces) |
### portainer-cr-user
| API Group | Resources | Verbs |
| ----------------- | ----------------- | ----- |
| (Empty) | namespaces, nodes | list |
| storage.k8s.io | storageclasses | list |
| networking.k8s.io | ingresses | list |