Links

Kubernetes roles and bindings

Role-Based Access Control is only available in Portainer Business Edition.
When managing a Kubernetes environment with Portainer, the Role-Based Access Control (RBAC) configuration is based on two components:
  • Kubernetes' cluster roles and namespace roles (which restrict access to Kubernetes itself)
  • Portainer's authorization flags (which restrict access to Portainer's functionality)
The following tables provide a reference for how our Portainer roles map to capabilities within Kubernetes.

Role Allocations

Portainer Role
Cluster Role Binding
Namespace Role Binding
Environment Administrator
cluster-admin (k8s system)
N/A
Operator
portainer-view (all non-system namespaces)
User
portainer-edit, portainer-view (only assigned namespaces)
Helpdesk
portainer-view (all non-system namespaces)
Read-Only
portainer-view (only assigned namespaces)

Cluster Roles

portainer-basic

API Group
Resources
Verbs
(Empty)
namespaces, nodes
get, list
storage.k8s.io
storageclasses
list
metrics.k8s.io
namespaces, pods, nodes
get, list
networking.k8s.io
ingressclasses
list

portainer-helpdesk

API Group
Resources
Verbs
(Empty)
componentstatuses, endpoints, events, namespaces, nodes
get, list, watch
storage.k8s.io
storageclasses
get, list, watch
networking.k8s.io
ingresses
get, watch
networking.k8s.io
ingressclasses
list
metrics.k8s.io
pods, nodes, nodes/stats, namespace
get, list, watch

portainer-operator

API Group
Resources
Verbs
(Empty)
configmaps
update
(Empty)
pods
delete
apps
daemonsets, deployments, statefulsets
patch
metrics.k8s.io
pods, nodes, nodes/stats, namespaces
get, list, watch

Namespace Roles

portainer-edit

API Group
Resources
Verbs
(Empty)
configmaps, endpoints, persistentvolumeclaims, pods, pods/attach, pods/exec, pods/portforward, pods/proxy, replicationcontrollers, replicationcontrollers/scale, secrets, serviceaccounts, services, services/proxy
create, delete, deletecollection, patch, update
(Empty)
pods/attach, pods/exec, pods/portforward, pods/proxy, secrets, services/proxy
get, list, watch
apps
daemonsets, deployments, deployments/rollback, deployments/scale, replicasets, replicasets/scale, statefulsets, statefulsets/scale
create, delete, deletecollection, patch, update
autoscaling
horizontalpodautoscalers
create, delete, deletecollection, patch, update
batch
cronjobs, jobs
create, delete, deletecollection, patch, update
extensions
daemonsets, deployments, deployments/rollback, deployments/scale, ingresses, networkpolicies, replicasets, replicasets/scale, replicationcontrollers/scale
create, delete, deletecollection, patch, update
networking.k8s.io
ingresses, networkpolicies
create, delete, deletecollection, patch, update
policy
poddisruptionbudgets
create, delete, deletecollection, patch, update

portainer-view

API Group
Resources
Verbs
(Empty)
bindings, componentstatuses, configmaps, endpoints, events, limitranges, namespaces, namespaces/status, persistentvolumeclaims, persistentvolumeclaims/status, pods, pods/log, pods/status, replicationcontrollers, replicationcontrollers/scale, replicationcontrollers/status, resourcequotas, resourcequotas/status, secrets, serviceaccounts, services, services/status
get, list, watch
apps
controllerrevisions, daemonsets, daemonsets/status, deployments, deployments/scale, deployments/status, replicasets, replicasets/scale, replicasets/status, statefulsets, statefulsets/scale, statefulsets/status
get, list, watch
autoscaling
horizontalpodautoscalers, horizontalpodautoscalers/status
get, list, watch
batch
cronjobs, cronjobs/status, jobs, jobs/status
get, list, watch
extensions
daemonsets, daemonsets/status, deployments, deployments/scale, deployments/status, ingresses, ingresses/status, networkpolicies, replicasets, replicasets/scale, replicasets/status, replicationcontrollers/scale
get, list, watch
networking.k8s.io
ingresses, ingresses/status, networkpolicies
get, list, watch
policy
poddisruptionbudgets, poddisruptionbudgets/status
get, list, watch

Portainer Access Restrictions

Function
Endpoint admin
Operator
Helpdesk
Standard User
Read-only User
Namespace Scope
All
All, EXCEPT System
All, EXCEPT System
Default + Assigned
Default + Assigned
Namespaces
RW
R
R
R
R
Namespace Details
RW
R
R
R
R
Namespace Access Management
RW
Applications
RW
R
R
RW
R
Application Details
RW
R
R
RW
R
Pod Delete
Yes
Yes
Application Console
RW
RW
Advanced Deployment
RW
RW
ConfigMaps & Secrets
RW
R
R
RW
R
ConfigMap & Secret Details
RW
RW
R
RW
R
Volumes
RW
R
R
RW
R
Volume Details
RW
R
R
RW
R
Cluster
RW
R
R
Cluster Node View
RW
R
R
Cluster Setup
RW
Application Error Details
R
R
R
Storage Class Disabled
R
R
R

Community Edition

The following tables cover the two roles available in Portainer Community Edition (CE). Note there is no Portainer access restriction in Portainer CE.
Portainer Role
Cluster Role Binding
Namespace Role Binding
Admin
(no restriction)
(no restriction)
User
edit (default k8s role, only assigned namespaces)

portainer-cr-user

API Group
Resources
Verbs
(Empty)
namespaces, nodes
list
storage.k8s.io
storageclasses
list
networking.k8s.io
ingresses
list