Home / BeaverDeck / Docs / User Guide / Permissions

Permissions

BeaverDeck checks application role permissions before it calls the Kubernetes API. The Kubernetes ServiceAccount must also be authorized for the requested operation. Passing only one of these checks is not enough.

Admin mode: a role with mode: admin can use every BeaverDeck feature and ignores explicit resource permissions. The tables below apply to non-admin roles.

Permission Levels

Level	Meaning
`none` or omitted	No access to the resource area. In Secret YAML, omit permissions that are not granted.
`view`	List resources and view their manifests. Some resources also expose read-only operations such as logs.
`edit`	Includes view and enables supported mutations. Manifest editing also requires `apply: edit`.
`full`	Includes view and edit and enables delete where BeaverDeck supports deletion.

Resource Permission Matrix

Permission key	`view`	`edit`	`full` / special behavior
`pods`	Pod list, manifest, and pod logs.	Evict pods and edit manifests when `apply: edit` is also granted.	Delete pods.
`workloads`	Deployment, StatefulSet, DaemonSet, Job, CronJob, ReplicaSet, and controller logs/manifests.	Scale, restart, and edit manifests with `apply: edit`.	Delete supported workload resources.
`nodes`	Node list and manifests.	Drain, uncordon, and edit manifests with `apply: edit`.	Node deletion is not exposed; the role editor stops at edit.
`services`	Service list and manifests.	Edit manifests with `apply: edit`.	Delete Services.
`ingresses`	Ingress list and manifests.	Edit manifests with `apply: edit`.	Delete Ingresses.
`clusterroles`	ClusterRoles and ClusterRoleBindings.	Edit manifests with `apply: edit`.	Delete ClusterRoles and ClusterRoleBindings.
`rbacroles`	Namespaced Roles and RoleBindings.	Edit manifests with `apply: edit`.	Delete Roles and RoleBindings.
`serviceaccounts`	ServiceAccount list and manifests.	Edit manifests with `apply: edit`.	Delete ServiceAccounts.
`configmaps`	ConfigMap list and manifests.	Edit manifests with `apply: edit`.	Delete ConfigMaps.
`crds`	CustomResourceDefinition list and manifests.	Edit manifests with `apply: edit`.	Delete CRDs.
`secrets`	Secret metadata and manifests with base64 values.	Reveal decoded values and edit manifests with `apply: edit`.	Delete Secrets.
`pvcs`	PersistentVolumeClaim list and manifests.	Edit manifests with `apply: edit`.	Delete PVCs.
`pvs`	PersistentVolume list and manifests.	Edit manifests with `apply: edit`.	Delete PVs.
`storageclasses`	StorageClass list and manifests.	Edit manifests with `apply: edit`.	Delete StorageClasses.
`events`	Cluster and namespace events.	Not available.	Not available.
`insights`	Open Insights and view checks.	Suppress and restore alerts globally.	Not available.
`exec`	Not used.	Open pod exec sessions; also requires `pods: view`.	Not available.
`apply`	Not used.	Dry-run and apply YAML; also required for manifest editing.	Not available.
`users`, `roles`	Present in the role schema, but current User Management APIs require `mode: admin`. These keys do not independently grant access to non-admin roles.

Common Actions

Action	Required BeaverDeck permission
Open a resource page or manifest	Matching resource key at `view` or higher.
View pod logs	`pods: view`.
View workload logs	`workloads: view`.
Open Exec	`pods: view` and `exec: edit`.
Edit or dry-run a resource manifest	Matching resource key at `edit` plus `apply: edit`.
Reveal decoded Secret data	`secrets: edit`.
Use Apply YAML, including dry-run	`apply: edit`.
Scale or restart a workload	`workloads: edit`.
Evict a pod	`pods: edit`.
Delete a supported resource	Matching resource key at `full`.
Drain or uncordon a node	`nodes: edit`.
View Insights	`insights: view`.
Suppress or restore an Insight	`insights: edit`.
User Management, auth providers, config import/export	`mode: admin`.
Cluster Health	`mode: admin`.

Namespace and Kubernetes Scope

An empty role namespace list allows every namespace permitted by application configuration and Kubernetes RBAC.
A non-empty role namespace list limits namespaced pages and actions to those namespaces.
ALLOW_ALL_NAMESPACES=false limits the application to its managed namespace even if the role allows more.
Namespace restrictions do not scope cluster resources such as Nodes, PVs, StorageClasses, CRDs, ClusterRoles, and ClusterRoleBindings.
The BeaverDeck ServiceAccount must have the corresponding Kubernetes API verbs. Application permissions cannot grant Kubernetes access that the ServiceAccount does not have.

Configuration Example

- name: operator
  mode: viewer
  permissions:
    namespaces:
      - apps
    resources:
      pods: view
      workloads: edit
      exec: edit
      insights: view
      apply: edit

This role can inspect pods and their logs, open Exec, view Insights, and manage workload manifests in the apps namespace. It cannot delete workloads because workloads is not full.