Dynamic Admission Controller RBAC Settings

The admission controller requires read-only access to several resource types in order to function.

couchbase.com/couchbasebuckets
couchbase.com/couchbaseephemeralbuckets
couchbase.com/couchbasememcachedbuckets
couchbase.com/couchbasereplications
couchbase.com/couchbaseusers
couchbase.com/couchbasegroups
couchbase.com/couchbaseroles
couchbase.com/couchbaserolebindings
couchbase.com/couchbasebackups
couchbase.com/couchbasebackuprestores

Used by the DAC to collect resources associated with a CouchbaseCluster. The DAC ensures — when considered as a whole — the configuration is valid for the Couchbase cluster.

Required Permissions: list

namespaces

Used the the DAC to lookup the namespace a cluster is running in. This is used on determine whether the cluster is running on Red Hat OpenShift. This information is used to determine correct defaults for the platform.

Required Permissions: get

secrets

Used by the DAC to look for secrets references in the CouchbaseCluster specification. It will ensure that the username and password secrets exist. It will ensure that, if specified, the TLS secrets are present and correct, and are valid for the cluster.

Required Permissions: get

storage.k8s.io/storageclasses

Used by the DAC to look for storage class references in the CouchbaseCluster specification. It will ensure that, if present, any storage class templates reference existing storage classes.

Required Permissions: get

Namespace, Secret and StorageClass resources are only interrogated — as described — for existence and correctness. The admission controller only performs get operations based on the names specified in the CouchbaseCluster specification. These resources will never be leaked through logs and are never persisted by the admission controller. If, however, your security policies declare that such permissions cannot be granted to an application, then they can be safely removed from the admission controller’s role. Permissions errors will be silently ignored by the admission controller. You will then no longer be informed about missing secrets and storage classes, incorrectly formatted secrets, and invalid TLS configurations.