Default Config Sync permissions

This page lists the default permissions that Config Sync and its components need to have correct access at the cluster level.

Default permissions

The following table lists the permissions that Config Sync enables by default. You shouldn't disable these permissions while Config Sync is in use.

Component Namespace Service account Permissions Description
reconciler-manager config-management-system reconciler-manager cluster-admin To provision the root reconcilers and create the ClusterRoleBinding for the root reconcilers, the reconciler-manager must have cluster-admin permission.
root reconcilers config-management-system The name of root reconciler cluster-admin To apply cluster-scoped and custom resources, the root reconcilers must have the cluster-admin permission.
namespace reconcilers config-management-system The name of namespace reconciler configsync.gke.io:ns-reconciler To get and update the RepoSync and ResourceGroup objects and their statuses, the namespace reconcilers need the configsync.gke.io:ns-reconciler permission.
resource-group-controller-manager config-management-system resource-group-sa To check the object status and enable the leader election, the resource-group-controller-manager needs the resource-group-manager-role and resource-group-leader-election-role roles.
admission-webhook config-management-system admission-webhook cluster-admin To deny requests to any object on the cluster, the admission webhook must have cluster-admin permissions.
importer config-management-system importer cluster-admin To set RBAC permissions, the importer must have cluster-admin permission.

Config Sync specific permissions

The following sections details the configsync.gke.io:ns-reconciler and resource-group-manager-role resource-group-leader-election-role permissions that were listed in the preceding table.

Config Sync automatically applies these permissions by including the following ClusterRoles in the Namespace Reconciler and Resource Group Controller manifests.

RBAC for namespace reconcilers

The following ClusterRole shows the role-based access control permissions for namespace reconcilers:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: configsync.gke.io:ns-reconciler
  labels:
    configmanagement.gke.io/system: "true"
    configmanagement.gke.io/arch: "csmr"
rules:
- apiGroups: ["configsync.gke.io"]
  resources: ["reposyncs"]
  verbs: ["get"]
- apiGroups: ["configsync.gke.io"]
  resources: ["reposyncs/status"]
  verbs: ["get","list","update"]
- apiGroups: ["kpt.dev"]
  resources: ["resourcegroups"]
  verbs: ["*"]
- apiGroups: ["kpt.dev"]
  resources: ["resourcegroups/status"]
  verbs: ["*"]
- apiGroups:
  - policy
  resources:
  - podsecuritypolicies
  resourceNames:
  - acm-psp
  verbs:
  - use

RBAC for Resource Group Controller

The following ClusterRole shows the role-based access control permissions for the Resource Group Controller:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  creationTimestamp: null
  labels:
    configmanagement.gke.io/arch: "csmr"
    configmanagement.gke.io/system: "true"
  name: resource-group-manager-role
rules:
# This permission is needed to get the status for managed resources
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - get
  - list
  - watch
# This permission is needed to watch/unwatch types as they are registered or removed.
- apiGroups:
  - apiextensions.k8s.io
  resources:
  - customresourcedefinitions
  verbs:
  - get
  - list
  - watch
# This permission is needed so that the ResourceGroup controller can reconcile a ResourceGroup CR
- apiGroups:
  - kpt.dev
  resources:
  - resourcegroups
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
# This permission is needed so that the ResourceGroup controller can update the status of a ResourceGroup CR
- apiGroups:
  - kpt.dev
  resources:
  - resourcegroups/status
  verbs:
  - get
  - patch
  - update
# This permission is needed so that the ResourceGroup controller can work on a cluster with PSP enabled
- apiGroups:
  - policy
  resourceNames:
  - acm-psp
  resources:
  - podsecuritypolicies
  verbs:
  - use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  labels:
    configmanagement.gke.io/arch: "csmr"
    configmanagement.gke.io/system: "true"
  name: resource-group-leader-election-role
  namespace: resource-group-system
rules:  // The following permissions are needed so that the leader election can work
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
- apiGroups:
  - ""
  resources:
  - configmaps/status
  verbs:
  - get
  - update
  - patch
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
- apiGroups:
  - coordination.k8s.io
  resources:
  - leases
  verbs:
  - '*'