RTFCTL Kubernetes Permissions

To successfully run rtfctl commands, you must understand and enable specific role permissions over Kubernetes resources.

The following table lists the permissions that you configure using Kubernetes (K8s) RBACs (role-based access control):

rtfctl Command Namespace API Groups Kubernetes Resources Verbs

rtfctl Command	Namespace	API Groups	Kubernetes Resources	Verbs
`apply`	rtf		configmaps	create, get, patch, update
	pods	deletecollection
<app-namespace>		secrets	get, list, watch
rtfctl-audit		secrets	create, get, patch, update
		namespaces	create, get, list, watch
	secrets	create, get, patch, update
`update`	rtf		configmaps, secrets	get
rtfctl-audit		secrets	create, get, patch, update
	namespaces	create
`wait`	rtf		configmaps, secret	get
rtfctl-audit		secrets	create, get, patch, update
	apps	daemonsets, deployments	get, list, watch
	namespaces	create
`install`	rtf		configmaps, pods/log	get
	pods	get, list, watch
	secrets	create, get
	serviceaccounts	create
batch	jobs	create, get
rtfctl-audit		secrets	create, get, patch, update
		namespaces	create
rbac.authorization.k8s.io	clusterrolebindings, clusterroles	create
`backup`	rtfctl-audit		secrets	create, get, patch, update
		namespaces	create, get, list, watch
	configmaps, namespaces, secrets, serviceaccounts, services	get, list, watch
apiextensions.k8s.io	customresourcedefinitions	get
apps	daemonsets, deployments	get, list, watch
batch	cronjobs	get, list, watch
networking.k8s.io	ingresses	get, list, watch
rbac.authorization.k8s.io	clusterrolebindings, clusterroles, rolebindings, roles	get, list, watch
rtf.mulesoft.com	persistencegateways	get, list, watch
scheduling.k8s.io	priorityclasses	get
`restore`	rtf	apps	daemonsets	create, get, patch, update
batch	cronjobs	create, get, patch, update
rtf.mulesoft.com	persistencegateways	get, list, watch
rtfctl-audit		secrets	create, get, patch, update
		configmaps, namespaces, secrets, serviceaccounts, services	create, get, patch, update
apiextensions.k8s.io	customresourcedefinitions	get, patch, update
apps	deployments	create, get, patch, update
networking.k8s.io	ingresses	create, get, patch, update
rbac.authorization.k8s.io	clusterrolebindings, clusterroles	create, get, patch, update
scheduling.k8s.io	priorityclasses	create, get, patch, update
`validate`	rtf		configmaps	get
	pods	deletecollection
	secrets	delete, get
batch	jobs	delete
rtf-validate		namespaces	delete, get
	pods/log	get
	secrets, serviceaccounts	create
batch	jobs	create, get
rtfctl-audit		secrets	create, get, patch, update
		namespaces	create
	nodes, pods	get, list, watch
authorization.k8s.io	selfsubjectaccessreviews	create
rbac.authorization.k8s.io	clusterrolebindings, clusterroles	create, delete
`version`	rtf		configmaps, secrets	get
rtfctl-audit		secrets	create, get, patch, update
		namespaces	create
`delete`	<app-namespace>		pods	get, list, watch
	secrets	get, list, patch, update, watch
rtf		configmaps, secrets	get
rtfctl-audit		secrets	create, get, patch, update
		namespaces	create
`describe`	<app-namespace>		pods	get, list, watch
rtf		configmaps, secrets	get
rtfctl-audit		secrets	create, get, patch, update
		namespaces	create
apps	deployments	get, list, watch
`disk`	<app-namespace>		pods	get, list, watch
	pods/exec	create
rtf		configmaps, secrets	get
rtfctl-audit		secrets	create, get, patch, update
		namespaces	create
`memory`	<app-namespace>		pods	get, list, watch
	pods/exec	create
rtf		configmaps, secrets	get
rtfctl-audit		secrets	create, get, patch, update
		namespaces	create
`package`	<app-namespace>		pods	get, list, watch
	pods/exec	create
rtf		configmaps, secrets	get
rtfctl-audit		secrets	create, get, patch, update
		namespaces	create
`restart`	<app-namespace>		pods	delete, get, list, watch
rtf		configmaps, secrets	get
rtfctl-audit		secrets	create, get, patch, update
		namespaces	create
`heapdump`	<app-namespace>		pods	get, list, watch
	pods/exec	create
rtf		configmaps, secrets	get
rtfctl-audit		secrets	create, get, patch, update
		namespaces	create
`threaddump`	<app-namespace>		secrets	get, list, watch
	pods/exec	create
rtf		configmaps, secrets	get
rtfctl-audit		secrets	create, get, patch, update
		namespaces	create
`get`	<app-namespace>		secrets	get, list, watch
rtf		configmaps, secrets	get
rtfctl-audit		secrets	create, get, patch, update
		namespaces	create
	apps	deployments	get, list, watch
`report`	rtf		configmaps, limitranges, resourcequotas, secrets, serviceaccounts, services	get, list, watch
	endpoints, pods/log	get
apps	daemonsets, deployments, replicasets	get, list, watch
batch	cronjobs	get, list, watch
batch	jobs	create, delete, get, list, watch
networking.k8s.io	ingresses	get, list, watch
rbac.authorization.k8s.io	rolebindings, roles	get, list, watch
rtf.mulesoft.com	persistencegateways	get, list, watch
kube-node-lease	coordination.k8s.io	leases	get
rtfctl-audit		secrets	create, get, patch, update
		namespaces	create, get, list, watch
		events, nodes, pods	get, list, watch
`status`	rtf		configmaps, pods/log, secrets	get
	pods	create, delete, get, list, watch
batch	jobs	create, delete, get
rtfctl-audit		secrets	create, get, patch, update
		namespaces	create
`test`	rtf		configmaps, pods/log, secrets	get
	pods	create, delete, get, list, watch
batch	jobs	create, delete, get
rtfctl-audit		secrets	create, get, patch, update
		nodes	get, list, watch
	namespaces	create

apply

rtf

configmaps

create, get, patch, update

pods

deletecollection

<app-namespace>

secrets

get, list, watch

rtfctl-audit

secrets

create, get, patch, update

namespaces

create, get, list, watch

secrets

create, get, patch, update

update

rtf

configmaps, secrets

get

rtfctl-audit

secrets

create, get, patch, update

namespaces

create

wait

rtf

configmaps, secret

get

rtfctl-audit

secrets

create, get, patch, update

apps

daemonsets, deployments

get, list, watch

namespaces

create

install

rtf

configmaps, pods/log

get

pods

get, list, watch

secrets

create, get

serviceaccounts

create

batch

jobs

create, get

rtfctl-audit

secrets

create, get, patch, update

namespaces

create

rbac.authorization.k8s.io

clusterrolebindings, clusterroles

create

backup

rtfctl-audit

secrets

create, get, patch, update

namespaces

create, get, list, watch

configmaps, namespaces, secrets, serviceaccounts, services

get, list, watch

apiextensions.k8s.io

customresourcedefinitions

get

apps

daemonsets, deployments

get, list, watch

batch

cronjobs

get, list, watch

networking.k8s.io

ingresses

get, list, watch

rbac.authorization.k8s.io

clusterrolebindings, clusterroles, rolebindings, roles

get, list, watch

rtf.mulesoft.com

persistencegateways

get, list, watch

scheduling.k8s.io

priorityclasses

get

restore

rtf

apps

daemonsets

create, get, patch, update

batch

cronjobs

create, get, patch, update

rtf.mulesoft.com

persistencegateways

get, list, watch

rtfctl-audit

secrets

create, get, patch, update

configmaps, namespaces, secrets, serviceaccounts, services

create, get, patch, update

apiextensions.k8s.io

customresourcedefinitions

get, patch, update

apps

deployments

create, get, patch, update

networking.k8s.io

ingresses

create, get, patch, update

rbac.authorization.k8s.io

clusterrolebindings, clusterroles

create, get, patch, update

scheduling.k8s.io

priorityclasses

create, get, patch, update

validate

rtf

configmaps

get

pods

deletecollection

secrets

delete, get

batch

jobs

delete

rtf-validate

namespaces

delete, get

pods/log

get

secrets, serviceaccounts

create

batch

jobs

create, get

rtfctl-audit

secrets

create, get, patch, update

namespaces

create

nodes, pods

get, list, watch

authorization.k8s.io

selfsubjectaccessreviews

create

rbac.authorization.k8s.io

clusterrolebindings, clusterroles

create, delete

version

rtf

configmaps, secrets

get

rtfctl-audit

secrets

create, get, patch, update

namespaces

create

delete

<app-namespace>

pods

get, list, watch

secrets

get, list, patch, update, watch

rtf

configmaps, secrets

get

rtfctl-audit

secrets

create, get, patch, update

namespaces

create

describe

<app-namespace>

pods

get, list, watch

rtf

configmaps, secrets

get

rtfctl-audit

secrets

create, get, patch, update

namespaces

create

apps

deployments

get, list, watch

disk

<app-namespace>

pods

get, list, watch

pods/exec

create

rtf

configmaps, secrets

get

rtfctl-audit

secrets

create, get, patch, update

namespaces

create

memory

<app-namespace>

pods

get, list, watch

pods/exec

create

rtf

configmaps, secrets

get

rtfctl-audit

secrets

create, get, patch, update

namespaces

create

package

<app-namespace>

pods

get, list, watch

pods/exec

create

rtf

configmaps, secrets

get

rtfctl-audit

secrets

create, get, patch, update

namespaces

create

restart

<app-namespace>

pods

delete, get, list, watch

rtf

configmaps, secrets

get

rtfctl-audit

secrets

create, get, patch, update

namespaces

create

heapdump

<app-namespace>

pods

get, list, watch

pods/exec

create

rtf

configmaps, secrets

get

rtfctl-audit

secrets

create, get, patch, update

namespaces

create

threaddump

<app-namespace>

secrets

get, list, watch

pods/exec

create

rtf

configmaps, secrets

get

rtfctl-audit

secrets

create, get, patch, update

namespaces

create

get

<app-namespace>

secrets

get, list, watch

rtf

configmaps, secrets

get

rtfctl-audit

secrets

create, get, patch, update

namespaces

create

apps

deployments

get, list, watch

report

rtf

configmaps, limitranges, resourcequotas, secrets, serviceaccounts, services

get, list, watch

endpoints, pods/log

get

apps

daemonsets, deployments, replicasets

get, list, watch

batch

cronjobs

get, list, watch

batch

jobs

create, delete, get, list, watch

networking.k8s.io

ingresses

get, list, watch

rbac.authorization.k8s.io

rolebindings, roles

get, list, watch

rtf.mulesoft.com

persistencegateways

get, list, watch

kube-node-lease

coordination.k8s.io

leases

get

rtfctl-audit

secrets

create, get, patch, update

namespaces

create, get, list, watch

events, nodes, pods

get, list, watch

status

rtf

configmaps, pods/log, secrets

get

pods

create, delete, get, list, watch

batch

jobs

create, delete, get

rtfctl-audit

secrets

create, get, patch, update

namespaces

create

test

rtf

configmaps, pods/log, secrets

get

pods

create, delete, get, list, watch

batch

jobs

create, delete, get

rtfctl-audit

secrets

create, get, patch, update

nodes

get, list, watch

namespaces

create

Namespace

Permissions can be role-based or cluster role-based:
Role-based: the namespace can be rtf, <app-namespace>, rtf-validate, or kube-node-lease.
Cluster role-based: because it applies to the entire cluster, the namespace field doesn’t exist and is blank in the table.
apiGroups

The API group for the K8s resources. When you create a role, each K8s resource declares its API group or uses the core API group if not specified. Refer to API groups for details.
Kubernetes Resource

Type of Kubernetes resources, for example, pods, services, or secrets to which the permissions apply.
Verbs

Actions that are allowed on the specified Kubernetes resources.

Gartner names MuleSoft a Leader

Unleash the power of Salesforce Customer 360 through integration

Anypoint Platform Fundamentals

MuleSoft at World Tour

Gartner names MuleSoft a Leader

Unleash the power of Salesforce Customer 360 through integration

Anypoint Platform Fundamentals

MuleSoft at World Tour

RTFCTL Kubernetes Permissions

See Also