This page lists the Kubernetes Roles and ClusterRoles used by Odigos and the Odigos Operator.

Components

This section lists the RBAC policies used by the Odigos components.

ClusterRoles

Below are the ClusterRoles used by Odigos components.

odigos-autoscaler

APIGroups	Resources	Resource Names	Verbs
odigos.io	instrumentationconfigs	*	get list watch
odigos.io	sources	*	get list watch
odigos.io	collectorsgroups/finalizers	*	get patch update
admissionregistration.k8s.io	validatingwebhookconfigurations	*	get list watch
admissionregistration.k8s.io	validatingwebhookconfigurations	action-validating-webhook-configuration	update

cleanup-clusterrole

APIGroups	Resources	Resource Names	Verbs
odigos.io	sources	*	list delete
*	pods	*	list

odigos-data-collection

APIGroups	Resources	Resource Names	Verbs
*	nodes/stats nodes/proxy	*	get list
*	pods namespaces	*	get list watch
apps	replicasets deployments daemonsets statefulsets	*	get list watch
*	endpoints	*	get list watch

odigos-instrumentor

APIGroups	Resources	Resource Names	Verbs
*	nodes	*	list watch get
*	namespaces	*	list watch get
*	pods	*	list watch get
batch	cronjobs	*	list watch get
apps	daemonsets	*	get list watch update patch
apps	deployments	*	get list watch update patch
apps	statefulsets	*	get list watch update patch
apps	statefulsets/finalizers deployments/finalizers daemonsets/finalizers	*	update
operator.odigos.io	odigos/finalizers	*	update
odigos.io	instrumentationconfigs/status	*	get patch update
odigos.io	instrumentationconfigs	*	create delete get list patch update watch
odigos.io	sources	*	create delete get list patch update watch
odigos.io	sources/finalizers	*	update
admissionregistration.k8s.io	mutatingwebhookconfigurations	*	get list watch
admissionregistration.k8s.io	mutatingwebhookconfigurations	source-mutating-webhook-configuration mutating-webhook-configuration	update
admissionregistration.k8s.io	validatingwebhookconfigurations	*	get list watch
admissionregistration.k8s.io	validatingwebhookconfigurations	source-validating-webhook-configuration	update

odiglet

APIGroups	Resources	Resource Names	Verbs
*	pods	*	get list watch
*	pods/status	*	get
*	pods/finalizers	*	update
*	nodes	*	get list watch patch update
odigos.io	instrumentationinstances	*	create get list patch update watch delete
odigos.io	instrumentationinstances/status	*	get patch update
odigos.io	instrumentationconfigs	*	get list watch patch update
odigos.io	instrumentationconfigs/status	*	get patch update

odigos-scheduler

APIGroups	Resources	Resource Names	Verbs
odigos.io	instrumentationconfigs	*	get list watch
*	configmaps/finalizers	*	update
batch	cronjobs	*	list watch
*	configmaps	*	list

odigos-ui

APIGroups	Resources	Resource Names	Verbs
*	namespaces	*	get list patch
apps	deployments statefulsets daemonsets	*	get list update patch
batch	cronjobs	*	get list update patch
apps	replicasets	*	get list
*	services	*	get list
*	pods	*	get list watch
odigos.io	instrumentationconfigs instrumentationinstances	*	get list watch
odigos.io	sources	*	get list patch create delete

Roles

Below are the Roles used by Odigos components. These Roles are only scoped to the Namespace in which Odigos is installed.

odigos-autoscaler

APIGroups	Resources	Resource Names	Verbs
*	configmaps	*	get list watch create patch update delete
*	services	*	get list watch create patch update delete deletecollection
apps	daemonsets	*	get list watch create patch update delete deletecollection
apps	daemonsets/status	*	get
apps	deployments	*	create delete deletecollection get list patch update watch
apps	deployments/status	*	get
autoscaling	horizontalpodautoscalers	*	create patch update delete
*	secrets	*	get list watch
*	secrets	autoscaler-webhooks-cert	update
*	secrets	autoscaler-webhook-cert	delete
odigos.io	destinations	*	get list watch
odigos.io	destinations/status	*	get patch update
odigos.io	processors	*	get list watch create patch update
actions.odigos.io	*	*	get list watch
actions.odigos.io	*/status	*	get patch update
odigos.io	collectorsgroups	*	get list watch
odigos.io	collectorsgroups/status	*	get patch update
odigos.io	actions	*	get list watch
odigos.io	actions/status	*	get patch update

cleanup-role

APIGroups	Resources	Resource Names	Verbs
*	configmaps	odigos-deployment	get
*	configmaps	odigos-config	get delete

odigos-data-collection

APIGroups	Resources	Resource Names	Verbs
*	configmaps	odigos-data-collection	get list watch

odigos-gateway

APIGroups	Resources	Resource Names	Verbs
*	configmaps	odigos-gateway	get list watch

odigos-instrumentor

APIGroups	Resources	Resource Names	Verbs
*	configmaps	effective-config	get list watch
odigos.io	collectorsgroups	*	get list watch
odigos.io	collectorsgroups/status	*	get list watch
odigos.io	destinations	*	get list watch
odigos.io	instrumentationrules	*	get list watch
*	secrets	*	get list watch
*	secrets	instrumentor-webhooks-cert	update
*	secrets	webhook-cert	delete
apps	daemonsets	odiglet	get list watch

odigos-leader-election-role

APIGroups	Resources	Resource Names	Verbs
*	events	*	create patch
coordination.k8s.io	leases	*	get list watch create update patch delete

odigos-scheduler

APIGroups	Resources	Resource Names	Verbs
*	configmaps	*	get list watch
*	configmaps	effective-config odigos-deployment odigos-go-offsets	patch create update
*	configmaps	odigos-config	delete
odigos.io	collectorsgroups	*	get list create patch update watch delete
odigos.io	collectorsgroups/status	*	get
odigos.io	instrumentationrules processors	*	get list watch patch delete create
*	secrets	*	get list watch
batch	cronjobs	odigos-go-offsets-updater	get list watch create update patch delete
apps	daemonsets	odiglet	patch

odigos-ui

APIGroups	Resources	Resource Names	Verbs
*	configmaps	*	get list
*	secrets	*	get list create patch update delete
odigos.io	instrumentationrules destinations	*	get list create patch update delete
odigos.io	destinations	*	watch
odigos.io	collectorsgroups	*	get list
actions.odigos.io	*	*	get list create patch update delete

Operator

This section lists the RBAC policies used by the Odigos Operator. Many of these permissions are necessary in order to create the RBAC policies for the components listed above.

ClusterRoles

APIGroups	Resources	Resource Names	Verbs
*	configmaps endpoints secrets	*	create delete get list patch update watch
*	configmaps/finalizers pods/finalizers	*	update
*	events	*	create patch
*	namespaces	*	get list patch watch
*	nodes	*	get list patch update watch
*	nodes/proxy nodes/stats	*	get list
*	pods	*	get list watch
*	pods/status	*	get
*	serviceaccounts	*	create delete get list patch watch
*	services	*	create delete deletecollection get list patch update watch
actions.odigos.io	*	*	create delete get list patch update watch
actions.odigos.io	*/status	*	get patch update
admissionregistration.k8s.io	mutatingwebhookconfigurations validatingwebhookconfigurations	*	create delete get list patch update watch
apiextensions.k8s.io	customresourcedefinitions	*	create delete get list patch update watch
apps	daemonsets deployments replicasets statefulsets	*	create delete deletecollection get list patch update watch
apps	daemonsets/finalizers deployments/finalizers replicasets/finalizers statefulsets/finalizers	*	update
apps	daemonsets/status deployments/status statefulsets/status	*	get
autoscaling	horizontalpodautoscalers	*	create delete patch update
batch	cronjobs	*	create delete get list patch update watch
coordination.k8s.io	leases	*	create delete get list patch update watch
odigos.io	*	*	*
odigos.io	collectorsgroups/finalizers sources/finalizers	*	update
odigos.io	collectorsgroups/status destinations/status instrumentationconfigs/status instrumentationinstances/status	*	get list patch update watch
operator.odigos.io	odigos	*	create delete get list patch update watch
operator.odigos.io	odigos/finalizers	*	update
operator.odigos.io	odigos/status	*	get patch update
policy	podsecuritypolicies	privileged	use
rbac.authorization.k8s.io	clusterrolebindings clusterroles rolebindings roles	*	create delete get list patch update watch
security.openshift.io	securitycontextconstraints	*	use
authentication.k8s.io	tokenreviews	*	create
authorization.k8s.io	subjectaccessreviews	*	create

Getting Started

Instrumentations

Odigos Pipeline

Destinations

Concepts

Feature Guidelines

Contribution Guidelines

Kubernetes RBAC Permissions

Components

ClusterRoles

odigos-autoscaler

cleanup-clusterrole

odigos-data-collection

odigos-instrumentor

odiglet

odigos-scheduler

odigos-ui

Roles

odigos-autoscaler

cleanup-role

odigos-data-collection

odigos-gateway

odigos-instrumentor

odigos-leader-election-role

odigos-scheduler

odigos-ui

Operator

ClusterRoles

Getting Started

Instrumentations

Odigos Pipeline

Destinations

Concepts

Feature Guidelines

Contribution Guidelines

​Components

​ClusterRoles

​odigos-autoscaler

​cleanup-clusterrole

​odigos-data-collection

​odigos-instrumentor

​odiglet

​odigos-scheduler

​odigos-ui

​Roles

​odigos-autoscaler

​cleanup-role

​odigos-data-collection

​odigos-gateway

​odigos-instrumentor

​odigos-leader-election-role

​odigos-scheduler

​odigos-ui

​Operator

​ClusterRoles

Components

ClusterRoles

odigos-autoscaler

cleanup-clusterrole

odigos-data-collection

odigos-instrumentor

odiglet

odigos-scheduler

odigos-ui

Roles

odigos-autoscaler

cleanup-role

odigos-data-collection

odigos-gateway

odigos-instrumentor

odigos-leader-election-role

odigos-scheduler

odigos-ui

Operator

ClusterRoles