Kubernetes roles and bindings

Environment Administrator

cluster-admin (k8s system)

N/A

Operator

User

Helpdesk

Read-Only

(Empty)

namespaces, nodes

get, list

storage.k8s.io

storageclasses

list

metrics.k8s.io

namespaces, pods, nodes

get, list

networking.k8s.io

ingressclasses

list

(Empty)

componentstatuses, endpoints, events, namespaces, nodes

get, list, watch

storage.k8s.io

storageclasses

get, list, watch

networking.k8s.io

ingresses

get, watch

networking.k8s.io

ingressclasses

list

metrics.k8s.io

pods, nodes, nodes/stats, namespace

get, list, watch

(Empty)

configmaps

update

(Empty)

pods

delete

apps

daemonsets, deployments, statefulsets

patch

metrics.k8s.io

pods, nodes, nodes/stats, namespaces

get, list, watch

(Empty)

configmaps, endpoints, persistentvolumeclaims, pods, pods/attach, pods/exec, pods/portforward, pods/proxy, replicationcontrollers, replicationcontrollers/scale, secrets, serviceaccounts, services, services/proxy

create, delete, deletecollection, patch, update

(Empty)

pods/attach, pods/exec, pods/portforward, pods/proxy, secrets, services/proxy

get, list, watch

apps

daemonsets, deployments, deployments/rollback, deployments/scale, replicasets, replicasets/scale, statefulsets, statefulsets/scale

create, delete, deletecollection, patch, update

autoscaling

horizontalpodautoscalers

create, delete, deletecollection, patch, update

batch

cronjobs, jobs

create, delete, deletecollection, patch, update

extensions

daemonsets, deployments, deployments/rollback, deployments/scale, ingresses, networkpolicies, replicasets, replicasets/scale, replicationcontrollers/scale

create, delete, deletecollection, patch, update

networking.k8s.io

ingresses, networkpolicies

create, delete, deletecollection, patch, update

policy

poddisruptionbudgets

create, delete, deletecollection, patch, update

(Empty)

bindings, componentstatuses, configmaps, endpoints, events, limitranges, namespaces, namespaces/status, persistentvolumeclaims, persistentvolumeclaims/status, pods, pods/log, pods/status, replicationcontrollers, replicationcontrollers/scale, replicationcontrollers/status, resourcequotas, resourcequotas/status, secrets, serviceaccounts, services, services/status

get, list, watch

apps

controllerrevisions, daemonsets, daemonsets/status, deployments, deployments/scale, deployments/status, replicasets, replicasets/scale, replicasets/status, statefulsets, statefulsets/scale, statefulsets/status

get, list, watch

autoscaling

horizontalpodautoscalers, horizontalpodautoscalers/status

get, list, watch

batch

cronjobs, cronjobs/status, jobs, jobs/status

get, list, watch

extensions

daemonsets, daemonsets/status, deployments, deployments/scale, deployments/status, ingresses, ingresses/status, networkpolicies, replicasets, replicasets/scale, replicasets/status, replicationcontrollers/scale

get, list, watch

networking.k8s.io

ingresses, ingresses/status, networkpolicies

get, list, watch

policy

poddisruptionbudgets, poddisruptionbudgets/status

get, list, watch

Namespace Scope

All

All, EXCEPT System

All, EXCEPT System

Default + Assigned

Default + Assigned

Namespaces

RW

R

R

R

R

Namespace Details

RW

R

R

R

R

Namespace Access Management

RW

Applications

RW

R

R

RW

R

Application Details

RW

R

R

RW

R

Pod Delete

Yes

Yes

Application Console

RW

RW

Advanced Deployment

RW

RW

ConfigMaps & Secrets

RW

R

R

RW

R

ConfigMap & Secret Details

RW

RW

R

RW

R

Volumes

RW

R

R

RW

R

Volume Details

RW

R

R

RW

R

Cluster

RW

R

R

Cluster Node View

RW

R

R

Cluster Setup

RW

Application Error Details

R

R

R

Storage Class Disabled

R

R

R

Admin

(no restriction)

(no restriction)

User

edit (default k8s role, only assigned namespaces)

(Empty)

namespaces, nodes

list

storage.k8s.io

storageclasses

list

networking.k8s.io

ingresses

list