Home / BeaverDeck / Docs / Configuration Guide / RBAC

Kubernetes RBAC

By default, the chart creates a dedicated ServiceAccount, a ClusterRole, and a ClusterRoleBinding that assigns the ClusterRole to that ServiceAccount. The role is cluster-scoped, so its namespaced resource permissions apply in every namespace.

The default values are serviceAccount.create: true and rbac.create: true. Object names are generated from the Helm release unless serviceAccount.name or rbac.clusterRoleName overrides them.

Two permission layers: the user's BeaverDeck role and the pod's Kubernetes ServiceAccount RBAC must both allow an operation. See the application permission matrix for role keys and action combinations.

Default ClusterRole Rules

The table below reflects the rules rendered by the current Helm chart. Full access means get, list, watch, create, update, patch, and delete.

API group	Resources	Verbs	Why BeaverDeck uses them
Core (`""`)	`pods`	Full access	Pod lists, status, manifests, Apply YAML, deletion, restart workflows, and node drain discovery.
Core (`""`)	`pods/log`, `pods/exec`	Full access	Read and follow container logs, and create interactive exec sessions. Logs primarily need `get`; exec primarily needs `create`.
Core (`""`)	`events`	Full access	Event browsing and troubleshooting. BeaverDeck primarily reads Events, but the default rule grants the same write verbs as other core resources.
Core (`""`)	`configmaps`, `secrets`	Full access	Resource browsing, manifests, Apply YAML, auth configuration Secret storage, suppressed-alert ConfigMap storage, and configuration checks.
Core (`""`)	`services`, `serviceaccounts`, `resourcequotas`	Full access	Resource pages and manifests, Apply YAML, networking checks, and namespace/GPU quota checks.
Core (`""`)	`persistentvolumeclaims`, `persistentvolumes`, `nodes`, `nodes/proxy`	Full access	Storage and node views, Insights, node cordon/uncordon, drain discovery, and kubelet summary statistics through the node proxy.
Core (`""`)	`namespaces`	`get`, `list`	Populate namespace selection and apply application namespace scope. The default role cannot create, edit, or delete namespaces.
`apps`	`deployments`, `deployments/scale`, `statefulsets`, `daemonsets`, `replicasets`	Full access	Workload lists and manifests, scaling, restarts, Apply YAML, editing, and deletion.
`batch`	`jobs`, `cronjobs`	Full access	Batch workload lists and manifests, Apply YAML, editing, and deletion.
`rbac.authorization.k8s.io`	`roles`, `rolebindings`, `clusterroles`, `clusterrolebindings`	Full access	RBAC resource pages and manifests, Apply YAML, editing, and deletion.
`networking.k8s.io`	`ingresses`, `networkpolicies`	Full access	Ingress pages and manifests, Apply YAML, editing, deletion, networking checks, and NetworkPolicy coverage checks.
`discovery.k8s.io`	`endpointslices`	`get`, `list`, `watch`	Resolve Service backend availability for networking Insights. EndpointSlices are read-only.
`storage.k8s.io`	`storageclasses`	Full access	StorageClass pages and manifests, storage Insights, Apply YAML, editing, and deletion.
`apiextensions.k8s.io`	`customresourcedefinitions`	Full access	CRD pages and manifests, Apply YAML, editing, and deletion.
`metrics.k8s.io`	`nodes`, `pods`	`get`, `list`	Read node and pod CPU/memory metrics for resource tables, cluster health, and Insights.

Eviction permission: pod Evict and node Drain use the Kubernetes eviction API, which requires create on pods/eviction in the policy API group. The current default ClusterRole does not include that rule, so the API server can deny these operations until a cluster administrator adds it.

Scope and Custom RBAC

allowAllNamespaces: false restricts application behavior, but does not narrow the ClusterRole or ClusterRoleBinding.
The default ClusterRole can read and modify listed namespaced resources, including Secrets, in every namespace. Use a custom policy when that scope is not acceptable.
A Kubernetes denial remains a denial even for an admin-mode BeaverDeck user. Broad ServiceAccount RBAC does not let a non-admin user bypass BeaverDeck role checks.
Set rbac.create: false to stop the chart from creating its ClusterRole and ClusterRoleBinding.
Set serviceAccount.create: false and serviceAccount.name to run with an existing ServiceAccount. That ServiceAccount must still be bound to every permission needed by the enabled features.
Custom RBAC must retain access to the auth configuration Secret and suppressed-alert ConfigMap in the BeaverDeck namespace, or startup and configuration updates will fail.