Components
This section lists the RBAC policies used by the Odigos components.ClusterRoles
Below are the ClusterRoles used by Odigos components.odigos-autoscaler
| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| odigos.io | instrumentationconfigs | * | get list watch |
| odigos.io | sources | * | get list watch |
| odigos.io | collectorsgroups/finalizers | * | get patch update |
| admissionregistration.k8s.io | validatingwebhookconfigurations | * | get list watch |
| admissionregistration.k8s.io | validatingwebhookconfigurations | action-validating-webhook-configuration | update |
cleanup-clusterrole
| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| odigos.io | sources | * | list delete |
| * | pods | * | list |
| * | nodes | * | list patch |
odigos-instrumentor
| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| * | nodes | * | list watch get |
| * | namespaces | * | list watch get |
| * | pods | * | list watch get |
| batch | cronjobs | * | list watch get |
| apps | daemonsets | * | get list watch update patch |
| apps | deployments | * | get list watch update patch |
| apps | statefulsets | * | get list watch update patch |
| apps | statefulsets/finalizers deployments/finalizers daemonsets/finalizers | * | update |
| operator.odigos.io | odigos/finalizers | * | update |
| odigos.io | instrumentationconfigs/status | * | get patch update |
| odigos.io | instrumentationconfigs | * | create delete get list patch update watch |
| odigos.io | sources | * | create delete get list patch update watch |
| odigos.io | sources/finalizers | * | update |
| admissionregistration.k8s.io | mutatingwebhookconfigurations | * | get list watch |
| admissionregistration.k8s.io | mutatingwebhookconfigurations | source-mutating-webhook-configuration mutating-webhook-configuration | update |
| admissionregistration.k8s.io | validatingwebhookconfigurations | * | get list watch |
| admissionregistration.k8s.io | validatingwebhookconfigurations | source-validating-webhook-configuration | update |
odiglet
| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| * | pods | * | get list watch |
| * | pods/status | * | get |
| * | pods/finalizers | * | update |
| * | nodes | * | get list watch patch update |
| odigos.io | instrumentationinstances | * | create get list patch update watch delete |
| odigos.io | instrumentationinstances/status | * | get patch update |
| odigos.io | instrumentationconfigs | * | get list watch patch update |
| odigos.io | instrumentationconfigs/status | * | get patch update |
| * | nodes/stats nodes/proxy | * | get list |
| * | pods namespaces | * | get list watch |
| apps | replicasets deployments daemonsets statefulsets | * | get list watch |
| * | endpoints | * | get list watch |
odigos-scheduler
| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| odigos.io | instrumentationconfigs | * | get list watch |
| * | configmaps/finalizers | * | update |
| batch | cronjobs | * | list watch |
| * | configmaps | * | list |
odigos-ui
| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| * | namespaces | * | get list patch |
| apps | deployments statefulsets daemonsets | * | get list update patch |
| batch | cronjobs | * | get list update patch |
| apps | replicasets | * | get list |
| * | services | * | get list |
| * | pods | * | get list watch |
| odigos.io | instrumentationconfigs instrumentationinstances | * | get list watch |
| odigos.io | sources | * | get list patch create delete |
Roles
Below are the Roles used by Odigos components. These Roles are only scoped to the Namespace in which Odigos is installed.odigos-autoscaler
| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| * | configmaps | * | get list watch create patch update delete |
| * | services | * | get list watch create patch update delete deletecollection |
| apps | daemonsets | * | get list watch create patch update delete deletecollection |
| apps | daemonsets/status | * | get |
| apps | deployments | * | create delete deletecollection get list patch update watch |
| apps | deployments/status | * | get |
| autoscaling | horizontalpodautoscalers | * | create patch update delete |
| * | secrets | * | get list watch |
| * | secrets | autoscaler-webhooks-cert | update |
| * | secrets | autoscaler-webhook-cert | delete |
| odigos.io | destinations | * | get list watch |
| odigos.io | destinations/status | * | get patch update |
| odigos.io | processors | * | get list watch create patch update |
| actions.odigos.io | * | * | get list watch update |
| actions.odigos.io | */status | * | get patch update |
| odigos.io | collectorsgroups | * | get list watch |
| odigos.io | collectorsgroups/status | * | get patch update |
| odigos.io | actions | * | get list watch create patch update |
| odigos.io | actions/status | * | get patch update |
cleanup-role
| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| * | configmaps | odigos-deployment odigos-configuration | get |
| * | configmaps | * | list |
| * | configmaps | odigos-config | get delete |
odiglet
| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| * | configmaps | odigos-data-collection | get list watch |
odigos-gateway
| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| * | configmaps | odigos-gateway | get list watch |
odigos-instrumentor
| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| * | configmaps | effective-config | get list watch |
| odigos.io | collectorsgroups | * | get list watch |
| odigos.io | collectorsgroups/status | * | get list watch |
| odigos.io | destinations | * | get list watch |
| odigos.io | instrumentationrules | * | get list watch |
| odigos.io | instrumentationrules/status | * | get patch update |
| * | secrets | * | get list watch |
| * | secrets | instrumentor-webhooks-cert | update |
| * | secrets | webhook-cert | delete |
| apps | daemonsets | odiglet | get list watch |
odigos-leader-election-role
| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| * | events | * | create patch |
| coordination.k8s.io | leases | * | get list watch create update patch delete |
odigos-scheduler
| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| * | configmaps | * | get list watch |
| * | configmaps | effective-config odigos-deployment odigos-go-offsets | patch create update |
| * | configmaps | odigos-config | delete |
| odigos.io | collectorsgroups | * | get list create patch update watch delete |
| odigos.io | collectorsgroups/status | * | get |
| odigos.io | instrumentationrules processors actions | * | get list watch patch delete create |
| * | secrets | * | get list watch |
| batch | cronjobs | odigos-go-offsets-updater | get list watch create update patch delete |
| apps | daemonsets | odiglet | patch |
| apps | deployments | odigos-scheduler | get list watch |
| odigos.io | destinations | * | get list watch |
odigos-ui
| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| * | configmaps | * | get list update patch |
| * | secrets | * | get list create patch update delete |
| odigos.io | instrumentationrules destinations | * | get list create patch update delete |
| odigos.io | destinations | * | watch |
| odigos.io | collectorsgroups | * | get list |
| odigos.io | actions | * | get list create patch update delete |
Operator
This section lists the RBAC policies used by the Odigos Operator. Many of these permissions are necessary in order to create the RBAC policies for the components listed above.ClusterRoles
| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| * | configmaps endpoints secrets | * | create delete get list patch update watch |
| * | configmaps/finalizers pods/finalizers | * | update |
| * | events | * | create patch |
| * | namespaces | * | get list patch watch |
| * | nodes | * | get list patch update watch |
| * | nodes/proxy nodes/stats | * | get list |
| * | pods | * | get list watch |
| * | pods/status | * | get |
| * | serviceaccounts | * | create delete get list patch watch |
| * | services | * | create delete deletecollection get list patch update watch |
| actions.odigos.io | * | * | create delete get list patch update watch |
| actions.odigos.io | */status | * | get patch update |
| admissionregistration.k8s.io | mutatingwebhookconfigurations validatingwebhookconfigurations | * | create delete get list patch update watch |
| apiextensions.k8s.io | customresourcedefinitions | * | create delete get list patch update watch |
| apps | daemonsets deployments replicasets statefulsets | * | create delete deletecollection get list patch update watch |
| apps | daemonsets/finalizers deployments/finalizers replicasets/finalizers statefulsets/finalizers | * | update |
| apps | daemonsets/status deployments/status statefulsets/status | * | get |
| autoscaling | horizontalpodautoscalers | * | create delete patch update |
| batch | cronjobs | * | create delete get list patch update watch |
| coordination.k8s.io | leases | * | create delete get list patch update watch |
| odigos.io | * | * | * |
| odigos.io | collectorsgroups/finalizers sources/finalizers | * | update |
| odigos.io | collectorsgroups/status destinations/status instrumentationconfigs/status instrumentationinstances/status | * | get list patch update watch |
| odigos.io | instrumentationrules/status | * | get patch update |
| operator.odigos.io | odigos | * | create delete get list patch update watch |
| operator.odigos.io | odigos/finalizers | * | update |
| operator.odigos.io | odigos/status | * | get patch update |
| policy | podsecuritypolicies | privileged | use |
| rbac.authorization.k8s.io | clusterrolebindings clusterroles rolebindings roles | * | create delete get list patch update watch |
| security.openshift.io | securitycontextconstraints | * | use |
| authentication.k8s.io | tokenreviews | * | create |
| authorization.k8s.io | subjectaccessreviews | * | create |