Knative serving component permissions

Use this page to understand the RBAC permissions that the components of Knative serving hold to maintain access to the cluster. These permissions are required and enabled by default in Knative serving; do not attempt to disable them.

Components Namespace Service Account
activator knative-serving controller
autoscaler knative-serving controller
controller knative-serving controller
webhook knative-serving controller
storage-version-migration-serving knative-serving controller
webhook knative-serving controller
cloud-run-operator cloud-run-system cloud-run-operator

Note that the cloud-run-operator service account has the same set of permissions as controller. The operator is what deploys all Knative serving components, including custom resource definitions and controllers.

RBAC for Knative serving service accounts

Use the following apiGroup definitions to understand which access control permissions each resource has in Knative serving for both the controller and cloud-run-operator service accounts.

- apiGroups:
  - ""
  resources:
  - pods
  - secrets
  verbs:
  - deletecollection
- apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - get
  - watch
  - list
- apiGroups:
  - ""
  resources:
  - pods
  - namespaces
  - secrets
  - configmaps
  - endpoints
  - services
  - events
  - serviceaccounts
  verbs:
  - get
  - list
  - create
  - update
  - delete
  - patch
  - watch
- apiGroups:
  - ""
  resources:
  - endpoints/restricted
  verbs:
  - create
- apiGroups:
  - ""
  resources:
  - namespaces/finalizers
  verbs:
  - update
- apiGroups:
  - apps
  resources:
  - deployments
  - deployments/finalizers
  verbs:
  - get
  - list
  - create
  - update
  - delete
  - patch
  - watch
- apiGroups:
  - admissionregistration.k8s.io
  resources:
  - mutatingwebhookconfigurations
  - validatingwebhookconfigurations
  verbs:
  - get
  - list
  - create
  - update
  - delete
  - patch
  - watch
- apiGroups:
  - apiextensions.k8s.io
  resources:
  - customresourcedefinitions
  - customresourcedefinitions/status
  verbs:
  - get
  - list
  - create
  - update
  - delete
  - patch
  - watch
- apiGroups:
  - autoscaling
  resources:
  - horizontalpodautoscalers
  verbs:
  - get
  - list
  - create
  - update
  - delete
  - patch
  - watch
- apiGroups:
  - coordination.k8s.io
  resources:
  - leases
  verbs:
  - get
  - list
  - create
  - update
  - delete
  - patch
  - watch
- apiGroups:
  - admissionregistration.k8s.io
  resources:
  - validatingwebhookconfigurations
  verbs:
  - get
  - list
  - create
  - update
  - delete
  - patch
  - watch

The following table lists how the RBAC permissions are used in Knative serving, where:

  • view includes the verbs: get, list, watch
  • modify includes the verbs: create, update, delete, patch
Permissions Reasons
Can view all secrets Webhook needs to read the secret from the knative-serving namespace. Domainmapping controller needs to read the certificate secret generated by the auto TLS feature and then copy them to the gke-system namespace.
Can modify pods DomainMapping controller needs to create a Pod which is used to serve requests for the fulfilling HTTP01 challenge.
Can modify secrets Domainmapping controller needs to create or update the certificate secret. Webhook needs to read the secret from knative-serving namespace.
Can modify configmaps Used in the default URL feature. The controller needs to update the "config-domain" configmap within the "knative-serving" namespace to add the `nip.io` URL.
Can modify endpoints Serverlessservice controller needs to create, update, or delete the endpoints. Route controller needs to create, update, or delete the endpoints.
Can modify services Route controller needs to create, update, or delete a service. Serverless controller needs to create, update, or delete a service. Domainmapping controller needs to create a service for serving HTTP01 challenge requests.
Can modify events Knative serving controller creates and emits events for the resources managed by Knative.
Can modify serviceaccounts Knative serving needs to read a service account indirectly.
Can modify endpoints/restricted Knative serving needs to create endpoints when RestrictedEndpointsAdmission is enabled.
Can modify deployments Revision controller needs to create or update a deployment for the Knative service.
Can modify mutatingwebhookconfiguration Knative webhook adds caBundle to the mutatingwebhookconfigurations owned by Knative.
Can modify validatingwebhookconfiguration Knative webhook adds caBundle to the validatingwebhookconfigurations owned by Knative.
Can modify customresourcedifinitions customresourcedefinitions/status Knative post-install job needs to upgrade Knative related CRDs to v1 version.
Can modify horizontalpodautoscalers Knative supports autoscaling based on HPA.
Can modify namespace/finalizer Knative serving needs to set ownerreference to Knative-serving namespace.