diff --git a/docs/administrator/security/rbac-permissions-for-karmada-components.md b/docs/administrator/security/rbac-permissions-for-karmada-components.md new file mode 100644 index 00000000..377be967 --- /dev/null +++ b/docs/administrator/security/rbac-permissions-for-karmada-components.md @@ -0,0 +1,39 @@ +--- +title: RBAC Permissions for Karmada Components +--- + +# RBAC Permissions for Karmada Components + +## karmada-operator + +| API Group | Resource | Verbs | Description | +|-----------|----------|-------|-------------| +| coordination.k8s.io | leases | get, create, update | Required for leader election. | +| operator.karmada.io | karmadas | get, list, watch, update | To manage Karmada instances. | +| operator.karmada.io | karmadas/status | update | To update the status subresource of Karmada instances. | +| "" (core) | events | create | Allows karmada-operator to record events in the Kubernetes API server. | +| "" (core) | nodes, pods | list | List cluster nodes and pods to get node information and for health checks. | +| "" (core) | namespaces | get | To get information about namespaces, and deploy resources into specific namespaces. | +| "" (core) | secrets, services | get, create, update, delete | To manage secrets which might contain sensitive data like credentials and services to expose applications within the cluster. | +| apps | statefulsets, deployments | get, create, update, delete | To manage StatefulSets, e.g., etcd, and Deployments, e.g., karmada-operator. | + +| Non-Resource URLs | Verbs | Description | +|-------------|-------|-------------| +| /healthz | get | Used to check whether the Karmada API server is healthy. | + + +## karmada-agent + +| API Group | Resource | Verbs | Description | +|-----------|----------|-------|-------------| +| cluster.karmada.io | clusters | list, watch | To manage and monitor clusters. | +| cluster.karmada.io | clusters | get, create, delete | resourceNames: {{clustername}} | +| cluster.karmada.io | clusters/status | update | resourceNames: {{clustername}} | +| config.karmada.io | resourceinterpreterwebhookconfigurations, resourceinterpretercustomizations | get, list, watch | To list and watch resource interpreter configurations. | +| "" (core) | namespaces | get | To get information about namespaces. | +| coordination.k8s.io | leases | get, create, update | Required for leader election. | +| certificates.k8s.io | certificatesigningrequests | get, create | To get and create CSR. | +| "" (core) | events | create, patch, update | Allows karmada-agent to record events in the Karmada API server. | +| "" (core) | secrets | get, create, patch | To manage secrets which might contain sensitive data like credentials. | +| work.karmada.io | works | get, list, watch, create, update, delete | To manage work resources. | +| work.karmada.io | works/status | patch, update | To update the status of work resources. | diff --git a/sidebars.js b/sidebars.js index d5cf627d..45f7ca15 100644 --- a/sidebars.js +++ b/sidebars.js @@ -215,7 +215,8 @@ module.exports = { label: "Security", items: [ "administrator/security/security-considerations", - "administrator/security/verify-artifacts" + "administrator/security/verify-artifacts", + "administrator/security/rbac-permissions-for-karmada-components" ], }, ], @@ -298,7 +299,7 @@ module.exports = { "reference/components/karmada-scheduler-estimator", "reference/components/karmada-search", "reference/components/karmada-webhook", - "reference/components/karmada-metrics-adapter", + "reference/components/karmada-metrics-adapter", ], }, {