RBAC permissions for system components

Anthos clusters on bare metal deploys Pods to your nodes that have elevated RBAC permissions such as the ability to modify all Deployments and to read all cluster Secrets. These permissions are required for Anthos clusters on bare metal to function correctly.

The following table lists all Anthos clusters on bare metal components with elevated permissions:

  • ais
  • anet-operator
  • anthos-cluster-operator
  • anthos-multinet-controller
  • cap-controller-manager
  • capi-controller-manager
  • capi-kubeadm-bootstrap-controller-manager
  • cdi-operator
  • cert-manager-cainjector
  • cert-manager-webhook
  • cert-manager
  • cluster-metrics-webhook
  • csi-snapshot-controller
  • istio-ingress
  • istiod
  • kube-state-metrics
  • localpv
  • metallb-controller
  • metrics-server-operator
  • metrics-server
  • network-controller-manager
  • sp-anthos-static-provisioner
  • stackdriver-operator
  • virt-api
  • virt-controller
  • virt-handler
  • virt-operator
  • vm-controller-controller-manager
  • vmruntime-controller-manager