RBAC permissions for system components

Anthos clusters on VMware deploys Pods to your nodes that have elevated role-based access control (RBAC) permissions such as the ability to modify all Deployments and to read all cluster Secrets. These permissions are required for Anthos clusters on VMware to function correctly.

The following components have elevated RBAC permissions:

  • gke-connect-agent
  • ais
  • coredns-autoscaler
  • kube-proxy
  • calico-node
  • anet-operator
  • metal
  • cluster-health-controller
  • gmsa-webhook
  • onprem-user-cluster-controller
  • gke-usage-metering
  • metrics-server