Security
Pre-defined RBAC roles
kspacr ensures that every Kubernetes User and Service Account is restricted by Role-Based Access Control (RBAC) to only access its namespace. This means that users can only see and interact with resources within their assigned namespace.
Read/Write Role ns-full-access
| API Group | Resources | Verbs |
|---|---|---|
| core | "configmaps", "endpoints", "persistentvolumeclaims", "pods", "replicationcontrollers", "secrets", "services", "serviceaccounts" | "get", "list", "watch", "create", "update", "patch", "delete" |
| core | "pods/log", "pods/exec", "pods/attach", "pods/portforward" | "get", "create" |
| core | "events", "limitranges", "resourcequotas" | "get", "list", "watch" |
| apps | "deployments", "replicasets", "statefulsets" | "get", "list", "watch", "create", "update", "patch", "delete" |
| apps | "daemonsets" | "get", "list", "watch" |
| autoscaling | "horizontalpodautoscalers" | "get", "list", "watch", "create", "update", "patch", "delete" |
| batch | "cronjobs", "jobs" | "get", "list", "watch", "create", "update", "patch", "delete" |
| networking | "ingresses", "networkpolicies" | "get", "list", "watch", "create", "update", "patch", "delete" |
| networking | "ingressclasses" | "get", "list" |
| policy | "poddisruptionbudgets" | "get", "list", "watch", "create", "update", "patch", "delete" |
| metrics | "pods" | "get", "list", "watch" |
| rbac | "roles", "rolebindings" | "get", "list", "watch", "create", "update", "patch", "delete" |
| flagger | "alertproviders", "canaries", "metrictemplates" | "get", "list", "watch", "create", "update", "patch", "delete" |
| cert-manager | "issuers", "certificates", "certificaterequests", "orders" | "get", "list", "watch" |
| acme.cert-manager | "orders", "challenges" | "get", "list", "watch" |
| kyverno | "policies" | "get", "list", "watch", "create", "update", "patch", "delete" |
Read/Write Role ns-full-access
| API Group | Resources | Verbs |
|---|---|---|
| core | "configmaps", "endpoints", "persistentvolumeclaims", "pods", "replicationcontrollers", "secrets", "services", "serviceaccounts" | "get", "list", "watch" |
| core | "pods/log", "pods/exec", "pods/attach", "pods/portforward" | "get" |
| core | "events", "limitranges", "resourcequotas" | "get", "list", "watch" |
| apps | "deployments", "replicasets", "statefulsets" | "get", "list", "watch" |
| apps | "daemonsets" | "get", "list", "watch" |
| autoscaling | "horizontalpodautoscalers" | "get", "list", "watch" |
| batch | "cronjobs", "jobs" | "get", "list", "watch" |
| networking | "ingresses", "networkpolicies" | "get", "list", "watch" |
| networking | "ingressclasses" | "get", "list" |
| policy | "poddisruptionbudgets" | "get", "list", "watch" |
| metrics | "pods" | "get", "list", "watch" |
| rbac | "roles", "rolebindings" | "get", "list", "watch" |
| flagger | "alertproviders", "canaries", "metrictemplates" | "get", "list", "watch" |
| cert-manager | "issuers", "certificates", "certificaterequests", "orders" | "get", "list", "watch" |
| acme.cert-manager | "orders", "challenges" | "get", "list", "watch" |
| kyverno | "policies" | "get", "list", "watch" |