Kubernetes RBAC Permissions
This page lists the Kubernetes Roles and ClusterRoles used by Odigos and the Odigos Operator.
Components
This section lists the RBAC policies used by the Odigos components.
ClusterRoles
Below are the ClusterRoles used by Odigos components.
odigos-autoscaler
| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| odigos.io | instrumentationconfigs | * | get list watch |
| odigos.io | sources | * | get list watch |
| odigos.io | collectorsgroups/finalizers | * | get patch update |
| admissionregistration.k8s.io | validatingwebhookconfigurations | * | get list watch |
| admissionregistration.k8s.io | validatingwebhookconfigurations | action-validating-webhook-configuration | update |
cleanup-clusterrole
| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| odigos.io | sources | * | list delete |
| * | pods | * | list |
odigos-data-collection
| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| * | nodes/stats nodes/proxy | * | get list |
| * | pods namespaces | * | get list watch |
| apps | replicasets deployments daemonsets statefulsets | * | get list watch |
| * | endpoints | * | get list watch |
odigos-instrumentor
| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| * | nodes | * | list watch get |
| * | namespaces | * | list watch get |
| * | pods | * | list watch get |
| batch | cronjobs | * | list watch get |
| apps | daemonsets | * | get list watch update patch |
| apps | deployments | * | get list watch update patch |
| apps | statefulsets | * | get list watch update patch |
| apps | statefulsets/finalizers deployments/finalizers daemonsets/finalizers | * | update |
| operator.odigos.io | odigos/finalizers | * | update |
| odigos.io | instrumentationconfigs/status | * | get patch update |
| odigos.io | instrumentationconfigs | * | create delete get list patch update watch |
| odigos.io | sources | * | create delete get list patch update watch |
| odigos.io | sources/finalizers | * | update |
| admissionregistration.k8s.io | mutatingwebhookconfigurations | * | get list watch |
| admissionregistration.k8s.io | mutatingwebhookconfigurations | source-mutating-webhook-configuration mutating-webhook-configuration | update |
| admissionregistration.k8s.io | validatingwebhookconfigurations | * | get list watch |
| admissionregistration.k8s.io | validatingwebhookconfigurations | source-validating-webhook-configuration | update |
odiglet
| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| * | pods | * | get list watch |
| * | pods/status | * | get |
| * | pods/finalizers | * | update |
| * | nodes | * | get list watch patch update |
| odigos.io | instrumentationinstances | * | create get list patch update watch delete |
| odigos.io | instrumentationinstances/status | * | get patch update |
| odigos.io | instrumentationconfigs | * | get list watch patch update |
| odigos.io | instrumentationconfigs/status | * | get patch update |
odigos-scheduler
| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| odigos.io | instrumentationconfigs | * | get list watch |
| * | configmaps/finalizers | * | update |
odigos-ui
| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| * | namespaces | * | get list patch |
| apps | deployments statefulsets daemonsets | * | get list update patch |
| batch | cronjobs | * | get list update patch |
| apps | replicasets | * | get list |
| * | services | * | get list |
| * | pods | * | get list watch |
| odigos.io | instrumentationconfigs instrumentationinstances | * | get list watch |
| odigos.io | sources | * | get list patch create delete |
Roles
Below are the Roles used by Odigos components. These Roles are only scoped to the Namespace in which Odigos is installed.
odigos-autoscaler
| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| * | configmaps | * | get list watch create patch update delete |
| * | services | * | get list watch create patch update delete deletecollection |
| apps | daemonsets | * | get list watch create patch update delete deletecollection |
| apps | daemonsets/status | * | get |
| apps | deployments | * | create delete deletecollection get list patch update watch |
| apps | deployments/status | * | get |
| autoscaling | horizontalpodautoscalers | * | create patch update delete |
| * | secrets | * | get list watch |
| * | secrets | autoscaler-webhooks-cert | update |
| * | secrets | autoscaler-webhook-cert | delete |
| odigos.io | destinations | * | get list watch |
| odigos.io | destinations/status | * | get patch update |
| odigos.io | processors | * | get list watch create patch update |
| actions.odigos.io | * | * | get list watch |
| actions.odigos.io | */status | * | get patch update |
| odigos.io | collectorsgroups | * | get list watch |
| odigos.io | collectorsgroups/status | * | get patch update |
| odigos.io | actions | * | get list watch |
| odigos.io | actions/status | * | get patch update |
cleanup-role
| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| * | configmaps | odigos-deployment | get |
| * | configmaps | odigos-config | get delete |
odigos-data-collection
| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| * | configmaps | odigos-data-collection | get list watch |
odigos-gateway
| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| * | configmaps | odigos-gateway | get list watch |
odigos-instrumentor
| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| * | configmaps | effective-config | get list watch |
| odigos.io | collectorsgroups | * | get list watch |
| odigos.io | collectorsgroups/status | * | get list watch |
| odigos.io | destinations | * | get list watch |
| odigos.io | instrumentationrules | * | get list watch |
| * | secrets | * | get list watch |
| * | secrets | instrumentor-webhooks-cert | update |
| * | secrets | webhook-cert | delete |
odigos-leader-election-role
| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| * | events | * | create patch |
| coordination.k8s.io | leases | * | get list watch create update patch delete |
odiglet
| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| odigos.io | collectorsgroups collectorsgroups/status | * | get list watch |
odigos-scheduler
| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| * | configmaps | * | get list watch |
| * | configmaps | effective-config odigos-deployment | patch create update |
| odigos.io | collectorsgroups | * | get list create patch update watch delete |
| odigos.io | collectorsgroups/status | * | get |
| odigos.io | instrumentationrules processors | * | get list watch patch delete create |
| * | secrets | * | get list watch |
odigos-ui
| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| * | configmaps | * | get list |
| * | secrets | * | get list create patch update delete |
| odigos.io | instrumentationrules destinations | * | get list create patch update delete |
| odigos.io | destinations | * | watch |
| odigos.io | collectorsgroups | * | get list |
| actions.odigos.io | * | * | get list create patch update delete |
Operator
This section lists the RBAC policies used by the Odigos Operator. Many of these permissions are necessary in order to create the RBAC policies for the components listed above.
ClusterRoles
| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| * | configmaps endpoints secrets | * | create delete get list patch update watch |
| * | configmaps/finalizers pods/finalizers | * | update |
| * | events | * | create patch |
| * | namespaces | * | get list patch watch |
| * | nodes | * | get list patch update watch |
| * | nodes/proxy nodes/stats | * | get list |
| * | pods | * | get list watch |
| * | pods/status | * | get |
| * | serviceaccounts | * | create delete get list patch watch |
| * | services | * | create delete deletecollection get list patch update watch |
| actions.odigos.io | * | * | create delete get list patch update watch |
| actions.odigos.io | */status | * | get patch update |
| admissionregistration.k8s.io | mutatingwebhookconfigurations validatingwebhookconfigurations | * | create delete get list patch update watch |
| apiextensions.k8s.io | customresourcedefinitions | * | create delete get list patch update watch |
| apps | daemonsets deployments replicasets statefulsets | * | create delete deletecollection get list patch update watch |
| apps | daemonsets/finalizers deployments/finalizers replicasets/finalizers statefulsets/finalizers | * | update |
| apps | daemonsets/status deployments/status statefulsets/status | * | get |
| autoscaling | horizontalpodautoscalers | * | create delete patch update |
| batch | cronjobs | * | get list patch update watch |
| coordination.k8s.io | leases | * | create delete get list patch update watch |
| odigos.io | * | * | * |
| odigos.io | collectorsgroups/finalizers sources/finalizers | * | update |
| odigos.io | collectorsgroups/status destinations/status instrumentationconfigs/status instrumentationinstances/status | * | get list patch update watch |
| operator.odigos.io | odigos | * | create delete get list patch update watch |
| operator.odigos.io | odigos/finalizers | * | update |
| operator.odigos.io | odigos/status | * | get patch update |
| policy | podsecuritypolicies | privileged | use |
| rbac.authorization.k8s.io | clusterrolebindings clusterroles rolebindings roles | * | create delete get list patch update watch |
| security.openshift.io | securitycontextconstraints | * | use |
| authentication.k8s.io | tokenreviews | * | create |
| authorization.k8s.io | subjectaccessreviews | * | create |
Kubernetes RBAC Permissions
This page lists the Kubernetes Roles and ClusterRoles used by Odigos and the Odigos Operator.
Components
This section lists the RBAC policies used by the Odigos components.
ClusterRoles
Below are the ClusterRoles used by Odigos components.
odigos-autoscaler
| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| odigos.io | instrumentationconfigs | * | get list watch |
| odigos.io | sources | * | get list watch |
| odigos.io | collectorsgroups/finalizers | * | get patch update |
| admissionregistration.k8s.io | validatingwebhookconfigurations | * | get list watch |
| admissionregistration.k8s.io | validatingwebhookconfigurations | action-validating-webhook-configuration | update |
cleanup-clusterrole
| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| odigos.io | sources | * | list delete |
| * | pods | * | list |
odigos-data-collection
| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| * | nodes/stats nodes/proxy | * | get list |
| * | pods namespaces | * | get list watch |
| apps | replicasets deployments daemonsets statefulsets | * | get list watch |
| * | endpoints | * | get list watch |
odigos-instrumentor
| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| * | nodes | * | list watch get |
| * | namespaces | * | list watch get |
| * | pods | * | list watch get |
| batch | cronjobs | * | list watch get |
| apps | daemonsets | * | get list watch update patch |
| apps | deployments | * | get list watch update patch |
| apps | statefulsets | * | get list watch update patch |
| apps | statefulsets/finalizers deployments/finalizers daemonsets/finalizers | * | update |
| operator.odigos.io | odigos/finalizers | * | update |
| odigos.io | instrumentationconfigs/status | * | get patch update |
| odigos.io | instrumentationconfigs | * | create delete get list patch update watch |
| odigos.io | sources | * | create delete get list patch update watch |
| odigos.io | sources/finalizers | * | update |
| admissionregistration.k8s.io | mutatingwebhookconfigurations | * | get list watch |
| admissionregistration.k8s.io | mutatingwebhookconfigurations | source-mutating-webhook-configuration mutating-webhook-configuration | update |
| admissionregistration.k8s.io | validatingwebhookconfigurations | * | get list watch |
| admissionregistration.k8s.io | validatingwebhookconfigurations | source-validating-webhook-configuration | update |
odiglet
| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| * | pods | * | get list watch |
| * | pods/status | * | get |
| * | pods/finalizers | * | update |
| * | nodes | * | get list watch patch update |
| odigos.io | instrumentationinstances | * | create get list patch update watch delete |
| odigos.io | instrumentationinstances/status | * | get patch update |
| odigos.io | instrumentationconfigs | * | get list watch patch update |
| odigos.io | instrumentationconfigs/status | * | get patch update |
odigos-scheduler
| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| odigos.io | instrumentationconfigs | * | get list watch |
| * | configmaps/finalizers | * | update |
odigos-ui
| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| * | namespaces | * | get list patch |
| apps | deployments statefulsets daemonsets | * | get list update patch |
| batch | cronjobs | * | get list update patch |
| apps | replicasets | * | get list |
| * | services | * | get list |
| * | pods | * | get list watch |
| odigos.io | instrumentationconfigs instrumentationinstances | * | get list watch |
| odigos.io | sources | * | get list patch create delete |
Roles
Below are the Roles used by Odigos components. These Roles are only scoped to the Namespace in which Odigos is installed.
odigos-autoscaler
| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| * | configmaps | * | get list watch create patch update delete |
| * | services | * | get list watch create patch update delete deletecollection |
| apps | daemonsets | * | get list watch create patch update delete deletecollection |
| apps | daemonsets/status | * | get |
| apps | deployments | * | create delete deletecollection get list patch update watch |
| apps | deployments/status | * | get |
| autoscaling | horizontalpodautoscalers | * | create patch update delete |
| * | secrets | * | get list watch |
| * | secrets | autoscaler-webhooks-cert | update |
| * | secrets | autoscaler-webhook-cert | delete |
| odigos.io | destinations | * | get list watch |
| odigos.io | destinations/status | * | get patch update |
| odigos.io | processors | * | get list watch create patch update |
| actions.odigos.io | * | * | get list watch |
| actions.odigos.io | */status | * | get patch update |
| odigos.io | collectorsgroups | * | get list watch |
| odigos.io | collectorsgroups/status | * | get patch update |
| odigos.io | actions | * | get list watch |
| odigos.io | actions/status | * | get patch update |
cleanup-role
| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| * | configmaps | odigos-deployment | get |
| * | configmaps | odigos-config | get delete |
odigos-data-collection
| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| * | configmaps | odigos-data-collection | get list watch |
odigos-gateway
| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| * | configmaps | odigos-gateway | get list watch |
odigos-instrumentor
| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| * | configmaps | effective-config | get list watch |
| odigos.io | collectorsgroups | * | get list watch |
| odigos.io | collectorsgroups/status | * | get list watch |
| odigos.io | destinations | * | get list watch |
| odigos.io | instrumentationrules | * | get list watch |
| * | secrets | * | get list watch |
| * | secrets | instrumentor-webhooks-cert | update |
| * | secrets | webhook-cert | delete |
odigos-leader-election-role
| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| * | events | * | create patch |
| coordination.k8s.io | leases | * | get list watch create update patch delete |
odiglet
| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| odigos.io | collectorsgroups collectorsgroups/status | * | get list watch |
odigos-scheduler
| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| * | configmaps | * | get list watch |
| * | configmaps | effective-config odigos-deployment | patch create update |
| odigos.io | collectorsgroups | * | get list create patch update watch delete |
| odigos.io | collectorsgroups/status | * | get |
| odigos.io | instrumentationrules processors | * | get list watch patch delete create |
| * | secrets | * | get list watch |
odigos-ui
| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| * | configmaps | * | get list |
| * | secrets | * | get list create patch update delete |
| odigos.io | instrumentationrules destinations | * | get list create patch update delete |
| odigos.io | destinations | * | watch |
| odigos.io | collectorsgroups | * | get list |
| actions.odigos.io | * | * | get list create patch update delete |
Operator
This section lists the RBAC policies used by the Odigos Operator. Many of these permissions are necessary in order to create the RBAC policies for the components listed above.
ClusterRoles
| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| * | configmaps endpoints secrets | * | create delete get list patch update watch |
| * | configmaps/finalizers pods/finalizers | * | update |
| * | events | * | create patch |
| * | namespaces | * | get list patch watch |
| * | nodes | * | get list patch update watch |
| * | nodes/proxy nodes/stats | * | get list |
| * | pods | * | get list watch |
| * | pods/status | * | get |
| * | serviceaccounts | * | create delete get list patch watch |
| * | services | * | create delete deletecollection get list patch update watch |
| actions.odigos.io | * | * | create delete get list patch update watch |
| actions.odigos.io | */status | * | get patch update |
| admissionregistration.k8s.io | mutatingwebhookconfigurations validatingwebhookconfigurations | * | create delete get list patch update watch |
| apiextensions.k8s.io | customresourcedefinitions | * | create delete get list patch update watch |
| apps | daemonsets deployments replicasets statefulsets | * | create delete deletecollection get list patch update watch |
| apps | daemonsets/finalizers deployments/finalizers replicasets/finalizers statefulsets/finalizers | * | update |
| apps | daemonsets/status deployments/status statefulsets/status | * | get |
| autoscaling | horizontalpodautoscalers | * | create delete patch update |
| batch | cronjobs | * | get list patch update watch |
| coordination.k8s.io | leases | * | create delete get list patch update watch |
| odigos.io | * | * | * |
| odigos.io | collectorsgroups/finalizers sources/finalizers | * | update |
| odigos.io | collectorsgroups/status destinations/status instrumentationconfigs/status instrumentationinstances/status | * | get list patch update watch |
| operator.odigos.io | odigos | * | create delete get list patch update watch |
| operator.odigos.io | odigos/finalizers | * | update |
| operator.odigos.io | odigos/status | * | get patch update |
| policy | podsecuritypolicies | privileged | use |
| rbac.authorization.k8s.io | clusterrolebindings clusterroles rolebindings roles | * | create delete get list patch update watch |
| security.openshift.io | securitycontextconstraints | * | use |
| authentication.k8s.io | tokenreviews | * | create |
| authorization.k8s.io | subjectaccessreviews | * | create |