Use this page to understand the RBAC permissions that the components of Cloud Run for Anthos hold to maintain access to the cluster. These permissions are required and enabled by default in Cloud Run for Anthos; do not attempt to disable them.
Components | Namespace | Service Account |
---|---|---|
activator |
knative-serving | controller |
autoscaler |
knative-serving | controller |
controller |
knative-serving | controller |
webhook |
knative-serving | controller |
storage-version-migration-serving |
knative-serving | controller |
webhook |
knative-serving | controller |
cloud-run-operator |
cloud-run-system | cloud-run-operator |
Note that the cloud-run-operator
service account has the same set of
permissions as controller
. The operator is what deploys all Cloud Run for Anthos
components, including custom resource definitions and controllers.
RBAC for Cloud Run for Anthos service accounts
Use the following apiGroup
definitions to understand which access control
permissions each resource has in Cloud Run for Anthos for both the controller
and cloud-run-operator
service accounts.
- apiGroups:
- ""
resources:
- pods
- secrets
verbs:
- deletecollection
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- watch
- list
- apiGroups:
- ""
resources:
- pods
- namespaces
- secrets
- configmaps
- endpoints
- services
- events
- serviceaccounts
verbs:
- get
- list
- create
- update
- delete
- patch
- watch
- apiGroups:
- ""
resources:
- endpoints/restricted
verbs:
- create
- apiGroups:
- ""
resources:
- namespaces/finalizers
verbs:
- update
- apiGroups:
- apps
resources:
- deployments
- deployments/finalizers
verbs:
- get
- list
- create
- update
- delete
- patch
- watch
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
verbs:
- get
- list
- create
- update
- delete
- patch
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
- customresourcedefinitions/status
verbs:
- get
- list
- create
- update
- delete
- patch
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- get
- list
- create
- update
- delete
- patch
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- create
- update
- delete
- patch
- watch
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
verbs:
- get
- list
- create
- update
- delete
- patch
- watch
The following table lists how the RBAC permissions are used in Cloud Run for Anthos, where:
- view includes the verbs: get, list, watch
- modify includes the verbs: create, update, delete, patch
Permissions | Reasons |
---|---|
Can view all secrets |
Webhook needs to read the secret from the knative-serving namespace.
Domainmapping controller needs to read the certificate secret generated by
the auto TLS feature and then copy them to the gke-system namespace. |
Can modify pods |
DomainMapping controller needs to create a Pod which is used to serve requests for the fulfilling HTTP01 challenge. |
Can modify secrets |
Domainmapping controller needs to create or update the certificate secret.
Webhook needs to read the secret from knative-serving namespace. |
Can modify configmaps |
Used in the default URL feature. The controller needs to update the "config-domain" configmap within the "knative-serving" namespace to add the `nip.io` URL. |
Can modify endpoints |
Serverlessservice controller needs to create, update, or delete the endpoints. Route controller needs to create, update, or delete the endpoints. |
Can modify services |
Route controller needs to create, update, or delete a service. Serverless controller needs to create, update, or delete a service. Domainmapping controller needs to create a service for serving HTTP01 challenge requests. |
Can modify events |
Cloud Run for Anthos controller creates and emits events for the resources managed by Knative. |
Can modify serviceaccounts |
Cloud Run for Anthos needs to read a service account indirectly. |
Can modify endpoints/restricted |
Cloud Run for Anthos needs to create endpoints when RestrictedEndpointsAdmission is enabled. |
Can modify deployments |
Revision controller needs to create or update a deployment for the Knative service. |
Can modify mutatingwebhookconfiguration |
Knative webhook adds caBundle to the mutatingwebhookconfigurations owned by Knative. |
Can modify validatingwebhookconfiguration |
Knative webhook adds caBundle to the validatingwebhookconfigurations owned by Knative. |
Can modify
customresourcedifinitions customresourcedefinitions/status |
Knative post-install job needs to upgrade Knative related CRDs to v1 version. |
Can modify horizontalpodautoscalers |
Knative supports autoscaling based on HPA. |
Can modify namespace/finalizer |
Cloud Run for Anthos needs to set ownerreference to Knative-serving namespace. |