This documentation is for the Latest version of Cloud Run for Anthos, which uses Anthos fleets and Anthos Service Mesh. Learn more.

The past version has been archived but the documentation remains available for existing users.

Cloud Run for Anthos component permissions

Use this page to understand the RBAC permissions that the components of Cloud Run for Anthos hold to maintain access to the cluster. These permissions are required and enabled by default in Cloud Run for Anthos; do not attempt to disable them.

Components Namespace Service Account
activator knative-serving controller
autoscaler knative-serving controller
controller knative-serving controller
webhook knative-serving controller
storage-version-migration-serving knative-serving controller
webhook knative-serving controller
cloud-run-operator cloud-run-system cloud-run-operator

Note that the cloud-run-operator service account has the same set of permissions as controller. The operator is what deploys all Cloud Run for Anthos components, including custom resource definitions and controllers.

RBAC for Cloud Run for Anthos service accounts

Use the following apiGroup definitions to understand which access control permissions each resource has in Cloud Run for Anthos for both the controller and cloud-run-operator service accounts.

- apiGroups:
  - ""
  resources:
  - pods
  - secrets
  verbs:
  - deletecollection
- apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - get
  - watch
  - list
- apiGroups:
  - ""
  resources:
  - pods
  - namespaces
  - secrets
  - configmaps
  - endpoints
  - services
  - events
  - serviceaccounts
  verbs:
  - get
  - list
  - create
  - update
  - delete
  - patch
  - watch
- apiGroups:
  - ""
  resources:
  - endpoints/restricted
  verbs:
  - create
- apiGroups:
  - ""
  resources:
  - namespaces/finalizers
  verbs:
  - update
- apiGroups:
  - apps
  resources:
  - deployments
  - deployments/finalizers
  verbs:
  - get
  - list
  - create
  - update
  - delete
  - patch
  - watch
- apiGroups:
  - admissionregistration.k8s.io
  resources:
  - mutatingwebhookconfigurations
  - validatingwebhookconfigurations
  verbs:
  - get
  - list
  - create
  - update
  - delete
  - patch
  - watch
- apiGroups:
  - apiextensions.k8s.io
  resources:
  - customresourcedefinitions
  - customresourcedefinitions/status
  verbs:
  - get
  - list
  - create
  - update
  - delete
  - patch
  - watch
- apiGroups:
  - autoscaling
  resources:
  - horizontalpodautoscalers
  verbs:
  - get
  - list
  - create
  - update
  - delete
  - patch
  - watch
- apiGroups:
  - coordination.k8s.io
  resources:
  - leases
  verbs:
  - get
  - list
  - create
  - update
  - delete
  - patch
  - watch
- apiGroups:
  - admissionregistration.k8s.io
  resources:
  - validatingwebhookconfigurations
  verbs:
  - get
  - list
  - create
  - update
  - delete
  - patch
  - watch

The following table lists how the RBAC permissions are used in Cloud Run for Anthos, where:

  • view includes the verbs: get, list, watch
  • modify includes the verbs: create, update, delete, patch
Permissions Reasons
Can view all secrets Webhook needs to read the secret from the knative-serving namespace. Domainmapping controller needs to read the certificate secret generated by the auto TLS feature and then copy them to the gke-system namespace.
Can modify pods DomainMapping controller needs to create a Pod which is used to serve requests for the fulfilling HTTP01 challenge.
Can modify secrets Domainmapping controller needs to create or update the certificate secret. Webhook needs to read the secret from knative-serving namespace.
Can modify configmaps Used in the default URL feature. The controller needs to update the "config-domain" configmap within the "knative-serving" namespace to add the `nip.io` URL.
Can modify endpoints Serverlessservice controller needs to create, update, or delete the endpoints. Route controller needs to create, update, or delete the endpoints.
Can modify services Route controller needs to create, update, or delete a service. Serverless controller needs to create, update, or delete a service. Domainmapping controller needs to create a service for serving HTTP01 challenge requests.
Can modify events Cloud Run for Anthos controller creates and emits events for the resources managed by Knative.
Can modify serviceaccounts Cloud Run for Anthos needs to read a service account indirectly.
Can modify endpoints/restricted Cloud Run for Anthos needs to create endpoints when RestrictedEndpointsAdmission is enabled.
Can modify deployments Revision controller needs to create or update a deployment for the Knative service.
Can modify mutatingwebhookconfiguration Knative webhook adds caBundle to the mutatingwebhookconfigurations owned by Knative.
Can modify validatingwebhookconfiguration Knative webhook adds caBundle to the validatingwebhookconfigurations owned by Knative.
Can modify customresourcedifinitions customresourcedefinitions/status Knative post-install job needs to upgrade Knative related CRDs to v1 version.
Can modify horizontalpodautoscalers Knative supports autoscaling based on HPA.
Can modify namespace/finalizer Cloud Run for Anthos needs to set ownerreference to Knative-serving namespace.