# Kubernetes roles and bindings
{% hint style="info" %}
Role-Based Access Control is only available in Portainer Business Edition.
{% endhint %}
When managing a Kubernetes environment with Portainer, the Role-Based Access Control (RBAC) configuration is based on two components:
* Kubernetes' cluster roles and namespace roles (which restrict access to Kubernetes itself)
* Portainer's authorization flags (which [restrict access](#portainer-access-restrictions) to Portainer's functionality)
The following tables provide a reference for how our Portainer roles map to capabilities within Kubernetes.
## Role Allocations
| Portainer Role | Cluster Role Binding | Namespace Role Binding |
| ------------------------- | ------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------- |
| Environment Administrator | cluster-admin (k8s system) | N/A |
| Operator | [portainer-operator](#portainer-operator), [portainer-helpdesk](#portainer-helpdesk) | [portainer-view](#portainer-view) (all non-system namespaces) |
| User | [portainer-basic](#portainer-basic) | [portainer-edit](#portainer-edit), [portainer-view](#portainer-view) (only assigned namespaces) |
| Helpdesk | [portainer-helpdesk](#portainer-helpdesk) | [portainer-view](#portainer-view) (all non-system namespaces) |
| Read-Only | [portainer-basic](#portainer-basic) | [portainer-view](#portainer-view) (only assigned namespaces) |
## Cluster Roles
### portainer-basic
| API Group | Resources | Verbs |
| ----------------- | ----------------------- | --------- |
| (Empty) | namespaces, nodes | get, list |
| storage.k8s.io | storageclasses | list |
| metrics.k8s.io | namespaces, pods, nodes | get, list |
| networking.k8s.io | ingressclasses | list |
### portainer-helpdesk
| API Group | Resources | Verbs |
| ----------------- | ------------------------------------------------------- | ---------------- |
| (Empty) | componentstatuses, endpoints, events, namespaces, nodes | get, list, watch |
| storage.k8s.io | storageclasses | get, list, watch |
| networking.k8s.io | ingresses | get, watch |
| networking.k8s.io | ingressclasses | list |
| metrics.k8s.io | pods, nodes, nodes/stats, namespace | get, list, watch |
### portainer-operator
| API Group | Resources | Verbs |
| -------------- | ------------------------------------- | ---------------- |
| (Empty) | configmaps | update |
| (Empty) | pods | delete |
| apps | daemonsets, deployments, statefulsets | patch |
| metrics.k8s.io | pods, nodes, nodes/stats, namespaces | get, list, watch |
## Namespace Roles
### portainer-edit
| API Group | Resources | Verbs |
| ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------- |
| (Empty) | configmaps, endpoints, persistentvolumeclaims, pods, pods/attach, pods/exec, pods/portforward, pods/proxy, replicationcontrollers, replicationcontrollers/scale, secrets, serviceaccounts, services, services/proxy | create, delete, deletecollection, patch, update |
| (Empty) | pods/attach, pods/exec, pods/portforward, pods/proxy, secrets, services/proxy | get, list, watch |
| apps | daemonsets, deployments, deployments/rollback, deployments/scale, replicasets, replicasets/scale, statefulsets, statefulsets/scale | create, delete, deletecollection, patch, update |
| autoscaling | horizontalpodautoscalers | create, delete, deletecollection, patch, update |
| batch | cronjobs, jobs | create, delete, deletecollection, patch, update |
| extensions | daemonsets, deployments, deployments/rollback, deployments/scale, ingresses, networkpolicies, replicasets, replicasets/scale, replicationcontrollers/scale | create, delete, deletecollection, patch, update |
| networking.k8s.io | ingresses, networkpolicies | create, delete, deletecollection, patch, update |
| policy | poddisruptionbudgets | create, delete, deletecollection, patch, update |
### portainer-view
| API Group | Resources | Verbs |
| ----------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- |
| (Empty) | bindings, componentstatuses, configmaps, endpoints, events, limitranges, namespaces, namespaces/status, persistentvolumeclaims, persistentvolumeclaims/status, pods, pods/log, pods/status, replicationcontrollers, replicationcontrollers/scale, replicationcontrollers/status, resourcequotas, resourcequotas/status, secrets, serviceaccounts, services, services/status | get, list, watch |
| apps | controllerrevisions, daemonsets, daemonsets/status, deployments, deployments/scale, deployments/status, replicasets, replicasets/scale, replicasets/status, statefulsets, statefulsets/scale, statefulsets/status | get, list, watch |
| autoscaling | horizontalpodautoscalers, horizontalpodautoscalers/status | get, list, watch |
| batch | cronjobs, cronjobs/status, jobs, jobs/status | get, list, watch |
| extensions | daemonsets, daemonsets/status, deployments, deployments/scale, deployments/status, ingresses, ingresses/status, networkpolicies, replicasets, replicasets/scale, replicasets/status, replicationcontrollers/scale | get, list, watch |
| networking.k8s.io | ingresses, ingresses/status, networkpolicies | get, list, watch |
| policy | poddisruptionbudgets, poddisruptionbudgets/status | get, list, watch |
## Portainer Access Restrictions
| Function | Endpoint admin | Operator | Helpdesk | Standard User | Read-only User |
| --------------------------- | -------------- | ------------------ | ------------------ | ------------------ | ------------------ |
| Namespace Scope | All | All, EXCEPT System | All, EXCEPT System | Default + Assigned | Default + Assigned |
| Namespaces | RW | R | R | R | R |
| Namespace Details | RW | R | R | R | R |
| Namespace Access Management | RW | | | | |
| Applications | RW | R | R | RW | R |
| Application Details | RW | R | R | RW | R |
| Pod Delete | Yes | Yes | | | |
| Application Console | RW | RW | | | |
| Advanced Deployment | RW | | | RW | |
| ConfigMaps & Secrets | RW | R | R | RW | R |
| ConfigMap & Secret Details | RW | RW | R | RW | R |
| Volumes | RW | R | R | RW | R |
| Volume Details | RW | R | R | RW | R |
| Cluster | RW | R | R | | |
| Cluster Node View | RW | R | R | | |
| Cluster Setup | RW | | | | |
| Application Error Details | R | R | R | | |
| Storage Class Disabled | R | R | R | | |
## Community Edition
The following tables cover the two roles available in Portainer Community Edition (CE). Note there is no Portainer access restriction in Portainer CE.
| Portainer Role | Cluster Role Binding | Namespace Role Binding |
| -------------- | --------------------------------------- | ------------------------------------------------- |
| Admin | (no restriction) | (no restriction) |
| User | [portainer-cr-user](#portainer-cr-user) | edit (default k8s role, only assigned namespaces) |
### portainer-cr-user
| API Group | Resources | Verbs |
| ----------------- | ----------------- | ----- |
| (Empty) | namespaces, nodes | list |
| storage.k8s.io | storageclasses | list |
| networking.k8s.io | ingresses | list |
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.portainer.io/sts/advanced/kubernetes-roles-and-bindings.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.