Dynamic Admission Controller RBAC Settings
The admission controller requires read-only access to several resource types in order to function.
Required Permissions
- couchbase.com/couchbaseclusters
- couchbase.com/couchbasebuckets
- couchbase.com/couchbaseephemeralbuckets
- couchbase.com/couchbasememcachedbuckets
- couchbase.com/couchbasereplications
- couchbase.com/couchbaseusers
- couchbase.com/couchbasegroups
- couchbase.com/couchbaserolebindings
- couchbase.com/couchbasebackups
- couchbase.com/couchbasebackuprestores
- couchbase.com/couchbaseautoscalers
- couchbase.com/couchbasecollections
- couchbase.com/couchbasecollectiongroups
- couchbase.com/couchbasescopes
- couchbase.com/couchbasescopegroups
- couchbase.com/couchbasemigrationreplications
-
Used by the DAC to collect resources associated with a
CouchbaseCluster
. The DAC ensures — when considered as a whole — the configuration is valid for the Couchbase cluster.Required Permissions:
list
Optional Permissions
- secrets
-
Used by the DAC to look for secrets references in the
CouchbaseCluster
specification. It will ensure that the username and password secrets exist. It will ensure that, if specified, the TLS secrets are present and correct, and are valid for the cluster.You can opt out of this requirement with the
--validate-secrets
cao
flag.Required Permissions:
get
- storage.k8s.io/storageclasses
-
Used by the DAC to look for storage class references in the
CouchbaseCluster
specification. It will ensure that, if present, any storage class templates reference existing storage classes.You can opt out of this requirement with the
--validate-storage-classes
cao
flag.Required Permissions:
get
If, however, your security policies declare that such permissions cannot be granted to an application, then they can be safely removed from the admission controller’s role. You will then no longer be informed about missing secrets and storage classes, incorrectly formatted secrets, and invalid TLS configurations. For further information on opting out of these checks, see the documentation for the |