Portainer Documentation

Official Website Knowledge Base Pricing Get 3 Nodes of BE Free

2.27 LTS

2.27 LTS

Welcome
What's new in version 2.27
Release Notes
Getting Started
Using Portainer
Administering Portainer
Frequently Asked Questions
Advanced Topics
API
Get More Help
Contribute to Portainer
- Contribute
- Build instructions
  - Set up a macOS build environment
  - Set up a Linux build environment

Powered by GitBook

On this page

Role Allocations
Cluster Roles
portainer-basic
portainer-helpdesk
portainer-operator
Namespace Roles
portainer-edit
portainer-view
Portainer Access Restrictions
Community Edition
portainer-cr-user

Was this helpful?

Advanced Topics

Kubernetes roles and bindings

PreviousDocker roles and permissions NextDeprecated and removed features

Was this helpful?

Role-Based Access Control is only available in Portainer Business Edition.

When managing a Kubernetes environment with Portainer, the Role-Based Access Control (RBAC) configuration is based on two components:

Kubernetes' cluster roles and namespace roles (which restrict access to Kubernetes itself)
Portainer's authorization flags (which to Portainer's functionality)

The following tables provide a reference for how our Portainer roles map to capabilities within Kubernetes.

Role Allocations

Portainer Role

Cluster Role Binding

Namespace Role Binding

Environment Administrator

cluster-admin (k8s system)

N/A

Operator

User

Helpdesk

Read-Only

Cluster Roles

portainer-basic

API Group

Resources

Verbs

(Empty)

namespaces, nodes

get, list

storage.k8s.io

storageclasses

list

metrics.k8s.io

namespaces, pods, nodes

get, list

networking.k8s.io

ingressclasses

list

portainer-helpdesk

API Group

Resources

Verbs

(Empty)

componentstatuses, endpoints, events, namespaces, nodes

get, list, watch

storage.k8s.io

storageclasses

get, list, watch

networking.k8s.io

ingresses

get, watch

networking.k8s.io

ingressclasses

list

metrics.k8s.io

pods, nodes, nodes/stats, namespace

get, list, watch

portainer-operator

API Group

Resources

Verbs

(Empty)

configmaps

update

(Empty)

pods

delete

apps

daemonsets, deployments, statefulsets

patch

metrics.k8s.io

pods, nodes, nodes/stats, namespaces

get, list, watch

Namespace Roles

portainer-edit

API Group

Resources

Verbs

(Empty)

configmaps, endpoints, persistentvolumeclaims, pods, pods/attach, pods/exec, pods/portforward, pods/proxy, replicationcontrollers, replicationcontrollers/scale, secrets, serviceaccounts, services, services/proxy

create, delete, deletecollection, patch, update

(Empty)

pods/attach, pods/exec, pods/portforward, pods/proxy, secrets, services/proxy

get, list, watch

apps

daemonsets, deployments, deployments/rollback, deployments/scale, replicasets, replicasets/scale, statefulsets, statefulsets/scale

create, delete, deletecollection, patch, update

autoscaling

horizontalpodautoscalers

create, delete, deletecollection, patch, update

batch

cronjobs, jobs

create, delete, deletecollection, patch, update

extensions

daemonsets, deployments, deployments/rollback, deployments/scale, ingresses, networkpolicies, replicasets, replicasets/scale, replicationcontrollers/scale

create, delete, deletecollection, patch, update

networking.k8s.io

ingresses, networkpolicies

create, delete, deletecollection, patch, update

policy

poddisruptionbudgets

create, delete, deletecollection, patch, update

portainer-view

API Group

Resources

Verbs

(Empty)

bindings, componentstatuses, configmaps, endpoints, events, limitranges, namespaces, namespaces/status, persistentvolumeclaims, persistentvolumeclaims/status, pods, pods/log, pods/status, replicationcontrollers, replicationcontrollers/scale, replicationcontrollers/status, resourcequotas, resourcequotas/status, secrets, serviceaccounts, services, services/status

get, list, watch

apps

controllerrevisions, daemonsets, daemonsets/status, deployments, deployments/scale, deployments/status, replicasets, replicasets/scale, replicasets/status, statefulsets, statefulsets/scale, statefulsets/status

get, list, watch

autoscaling

horizontalpodautoscalers, horizontalpodautoscalers/status

get, list, watch

batch

cronjobs, cronjobs/status, jobs, jobs/status

get, list, watch

extensions

daemonsets, daemonsets/status, deployments, deployments/scale, deployments/status, ingresses, ingresses/status, networkpolicies, replicasets, replicasets/scale, replicasets/status, replicationcontrollers/scale

get, list, watch

networking.k8s.io

ingresses, ingresses/status, networkpolicies

get, list, watch

policy

poddisruptionbudgets, poddisruptionbudgets/status

get, list, watch

Portainer Access Restrictions

Function

Endpoint admin

Operator

Helpdesk

Standard User

Read-only User

Namespace Scope

All

All, EXCEPT System

All, EXCEPT System

Default + Assigned

Default + Assigned

Namespaces

RW

R

R

R

R

Namespace Details

RW

R

R

R

R

Namespace Access Management

RW

Applications

RW

R

R

RW

R

Application Details

RW

R

R

RW

R

Pod Delete

Yes

Yes

Application Console

RW

RW

Advanced Deployment

RW

RW

ConfigMaps & Secrets

RW

R

R

RW

R

ConfigMap & Secret Details

RW

RW

R

RW

R

Volumes

RW

R

R

RW

R

Volume Details

RW

R

R

RW

R

Cluster

RW

R

R

Cluster Node View

RW

R

R

Cluster Setup

RW

Application Error Details

R

R

R

Storage Class Disabled

R

R

R

Community Edition

The following tables cover the two roles available in Portainer Community Edition (CE). Note there is no Portainer access restriction in Portainer CE.

Portainer Role

Cluster Role Binding

Namespace Role Binding

Admin

(no restriction)

(no restriction)

User

edit (default k8s role, only assigned namespaces)

portainer-cr-user

API Group

Resources

Verbs

(Empty)

namespaces, nodes

list

storage.k8s.io

storageclasses

list

networking.k8s.io

ingresses

list

,

(all non-system namespaces)

, (only assigned namespaces)

(all non-system namespaces)

(only assigned namespaces)

restrict access

portainer-operator

portainer-helpdesk

portainer-basic

portainer-helpdesk

portainer-basic

portainer-cr-user