RTFCTL Kubernetes Permissions
To successfully run rtfctl commands, you must understand and enable specific role permissions over Kubernetes resources.
The following table lists the permissions that you configure using Kubernetes (K8s) RBACs (role-based access control):
| rtfctl Command | Namespace | API Groups | Kubernetes Resources | Verbs |
|---|---|---|---|---|
|
rtf |
configmaps |
create, get, patch, update |
|
pods |
deletecollection |
|||
<app-namespace> |
secrets |
get, list, watch |
||
namespaces |
get, list, watch |
|||
secrets |
create, get, patch, update |
|||
|
rtf |
configmaps, secrets |
get |
|
|
rtf |
configmaps, secret |
get |
|
apps |
daemonsets, deployments |
get, list, watch |
||
|
rtf |
configmaps, pods/log |
get |
|
pods |
get, list, watch |
|||
secrets |
create, get |
|||
serviceaccounts |
create |
|||
batch |
jobs |
create, get |
||
namespaces |
create |
|||
rbac.authorization.k8s.io |
clusterrolebindings, clusterroles |
create |
||
|
configmaps, namespaces, secrets, serviceaccounts, services |
get, list, watch |
||
apiextensions.k8s.io |
customresourcedefinitions |
get |
||
apps |
daemonsets, deployments |
get, list, watch |
||
batch |
cronjobs |
get, list, watch |
||
networking.k8s.io |
ingresses |
get, list, watch |
||
rbac.authorization.k8s.io |
clusterrolebindings, clusterroles, rolebindings, roles |
get, list, watch |
||
rtf.mulesoft.com |
persistencegateways |
get, list, watch |
||
scheduling.k8s.io |
priorityclasses |
get |
||
|
rtf |
apps |
daemonsets |
create, get, patch, update |
batch |
cronjobs |
create, get, patch, update |
||
rtf.mulesoft.com |
persistencegateways |
get, list, watch |
||
configmaps, namespaces, secrets, serviceaccounts, services |
create, get, patch, update |
|||
apiextensions.k8s.io |
customresourcedefinitions |
get, patch, update |
||
apps |
deployments |
create, get, patch, update |
||
networking.k8s.io |
ingresses |
create, get, patch, update |
||
rbac.authorization.k8s.io |
clusterrolebindings, clusterroles |
create, get, patch, update |
||
scheduling.k8s.io |
priorityclasses |
create, get, patch, update |
||
|
rtf |
configmaps |
get |
|
pods |
deletecollection |
|||
secrets |
delete, get |
|||
batch |
jobs |
delete |
||
rtf-validate |
namespaces |
delete, get |
||
pods/log |
get |
|||
secrets, serviceaccounts |
create |
|||
batch |
jobs |
create, get |
||
namespaces |
create |
|||
nodes, pods |
get, list, watch |
|||
authorization.k8s.io |
selfsubjectaccessreviews |
create |
||
rbac.authorization.k8s.io |
clusterrolebindings, clusterroles |
create, delete |
||
|
rtf |
configmaps, secrets |
get |
|
|
<app-namespace> |
pods |
get, list, watch |
|
secrets |
get, list, patch, update, watch |
|||
rtf |
configmaps, secrets |
get |
||
|
<app-namespace> |
pods |
get, list, watch |
|
rtf |
configmaps, secrets |
get |
||
apps |
deployments |
get, list, watch |
||
|
<app-namespace> |
pods |
get, list, watch |
|
pods/exec |
create |
|||
rtf |
configmaps, secrets |
get |
||
|
<app-namespace> |
pods |
get, list, watch |
|
pods/exec |
create |
|||
rtf |
configmaps, secrets |
get |
||
|
<app-namespace> |
pods |
get, list, watch |
|
pods/exec |
create |
|||
rtf |
configmaps, secrets |
get |
||
|
<app-namespace> |
pods |
delete, get, list, watch |
|
rtf |
configmaps, secrets |
get |
||
|
<app-namespace> |
pods |
get, list, watch |
|
pods/exec |
create |
|||
rtf |
configmaps, secrets |
get |
||
|
<app-namespace> |
secrets |
get, list, watch |
|
pods/exec |
create |
|||
rtf |
configmaps, secrets |
get |
||
|
<app-namespace> |
secrets |
get, list, watch |
|
rtf |
configmaps, secrets |
get |
||
apps |
deployments |
get, list, watch |
||
|
rtf |
configmaps, limitranges, resourcequotas, secrets, serviceaccounts, services |
get, list, watch |
|
endpoints, pods/log |
get |
|||
apps |
daemonsets, deployments, replicasets |
get, list, watch |
||
batch |
cronjobs |
get, list, watch |
||
batch |
jobs |
create, delete, get, list, watch |
||
networking.k8s.io |
ingresses |
get, list, watch |
||
rbac.authorization.k8s.io |
roldebindings, roles |
get, list, watch |
||
rtf.mulesoft.com |
persistencegateways |
get, list, watch |
||
kube-node-lease |
coordination.k8s.io |
leases |
get |
|
events, namespaces, nodes, pods |
get, list, watch |
|||
|
rtf |
configmaps, pods/log, secrets |
get |
|
pods |
create, delete, get, list, watch |
|||
batch |
jobs |
create, delete, get |
||
|
rtf |
configmaps, pods/log, secrets |
get |
|
pods |
create, delete, get, list, watch |
|||
batch |
jobs |
create, delete, get |
||
nodes |
get, list, watch |
-
Namespace
Permissions can be role-based or cluster role-based:
-
Role-based: the namespace can be rtf, <app-namespace>, rtf-validate, or kube-node-lease.
-
Cluster role-based: because it applies to the entire cluster, the namespace field doesn’t exist and is blank in the table.
-
apiGroups
The API group for the K8s resources. When you create a role, each K8s resource declares its API group or uses the core API group if not specified. Refer to API groups for details.
-
Kubernetes Resource
Type of Kubernetes resources, for example,
pods,services, orsecretsto which the permissions apply. -
Verbs
Actions that are allowed on the specified Kubernetes resources.