RBAC permissions for system components

GKE on VMware deploys Pods to your nodes that have elevated role-based access control (RBAC) permissions such as the ability to modify all Deployments and to read all cluster Secrets. These permissions are required for GKE on VMware to function correctly.

The following components have elevated RBAC permissions:

  • gke-connect-agent
  • ais
  • coredns-autoscaler
  • kube-proxy
  • calico-node
  • anet-operator
  • metal
  • cluster-health-controller
  • gmsa-webhook
  • onprem-user-cluster-controller
  • gke-usage-metering
  • metrics-server