| copyright | lastupdated | keywords | subcollection | ||
|---|---|---|---|---|---|
|
2019-10-07 |
kubernetes, iks, infrastructure, rbac, policy |
containers |
{:new_window: target="blank"} {:shortdesc: .shortdesc} {:screen: .screen} {:pre: .pre} {:table: .aria-labeledby="caption"} {:codeblock: .codeblock} {:tip: .tip} {:note: .note} {:important: .important} {:deprecated: .deprecated} {:download: .download} {:preview: .preview}
{: #access_reference}
When you assign cluster permissions, it can be hard to judge which role you need to assign to a user. Use the tables in the following sections to determine the minimum level of permissions that are required to perform common tasks in {{site.data.keyword.containerlong}}. {: shortdesc}
{: #iam_platform}
{{site.data.keyword.containerlong_notm}} is configured to use {{site.data.keyword.cloud_notm}} Identity and Access Management (IAM) roles. {{site.data.keyword.cloud_notm}} IAM platform roles determine the actions that users can perform on {{site.data.keyword.cloud_notm}} resources such as clusters, worker nodes, and Ingress application load balancers (ALBs). {{site.data.keyword.cloud_notm}} IAM platform roles also automatically set basic infrastructure permissions for users. To set platform roles, see Assigning {{site.data.keyword.cloud_notm}} IAM platform permissions. {: shortdesc}
Do not assign {{site.data.keyword.cloud_notm}} IAM platform roles at the same time as a service role. You must assign platform and service roles separately.
- Actions requiring no permissions: Any user in your account who runs the CLI command or makes the API call for the action sees the result, even if the user has no assigned permissions.
- Viewer actions: The Viewer platform role includes the actions that require no permissions, plus the permissions that are shown in the Viewer tab of following table. With the Viewer role, users such as auditors or billing can see cluster details but not modify the infrastructure.
- Editor actions: The Editor platform role includes the permissions that are granted by Viewer, plus the following. With the Editor role, users such as developers can bind services, work with Ingress resources, and set up log forwarding for their apps but cannot modify the infrastructure. Tip: Use this role for app developers, and assign the Cloud Foundry Developer role.
- Operator actions: The Operator platform role includes the permissions that are granted by Viewer, plus the permissions that are shown in the Operator tab of the following table. With the Operator role, users such as site reliability engineers, DevOps engineers, or cluster administrators can add worker nodes and troubleshoot infrastructure such as by reloading a worker node, but cannot create or delete the cluster, change the credentials, or set up cluster-wide features like service endpoints or managed add-ons.
- Administrator actions: The Administrator platform role includes all permissions that are granted by the Viewer, Editor, and Operator roles, plus the permissions that are show in the Administrator tab of the following table. With the Administrator role, users such as cluster or account administrators can create and delete clusters or set up cluster-wide features like service endpoints or managed add-ons. To create order such infrastructure resources such as worker node machines, VLANs, and subnets, Administrator users need the Super user infrastructure role or the API key for the region must be set with the appropriate permissions.
The following table shows the permissions granted by each {{site.data.keyword.cloud_notm}} IAM platform role. Each tab is organized alphabetically by CLI command name.
| Action | CLI command | API call |
|---|---|---|
| View a list of supported versions for managed add-ons in {{site.data.keyword.containerlong_notm}}. | ibmcloud ks addon-versions |
GET /v1/addon |
| Target or view the API endpoint for {{site.data.keyword.containerlong_notm}}. | ibmcloud ks api |
- |
| View a list of supported commands and parameters. | ibmcloud ks help |
- |
| Initialize the {{site.data.keyword.containerlong_notm}} plug-in or specify the region where you want to create or access Kubernetes clusters. | ibmcloud ks init |
- |
| Deprecated: View a list of Kubernetes versions supported in {{site.data.keyword.containerlong_notm}}. | ibmcloud ks kube-versions |
GET /v1/kube-versions |
| View a list of available flavors for your worker nodes. | ibmcloud ks flavors (machine-types) |
GET /v2/getFlavors |
| View current messages for the IBMid user. | ibmcloud ks messages |
GET /v1/messages |
| Deprecated: Find the {{site.data.keyword.containerlong_notm}} region that you are currently in. | ibmcloud ks region |
- |
| Deprecated: Set the region for {{site.data.keyword.containerlong_notm}}. | ibmcloud ks region set |
- |
| Deprecated: List the available regions. | ibmcloud ks region ls |
GET /v1/regions |
| View a list of supported locations in {{site.data.keyword.containerlong_notm}}. | ibmcloud ks supported-locations |
GET /v1/locations |
| View a list of supported versions in {{site.data.keyword.containerlong_notm}}. | ibmcloud ks versions |
- |
| View a list of available zones that you can create a cluster in. | ibmcloud ks zone ls |
|
| {: class="simple-tab-table"} | ||
| {: caption="Overview of permissions required for CLI commands and API calls in {{site.data.keyword.containerlong_notm}}." caption-side="top"} | ||
| {: #accessreftabtablenone} | ||
| {: tab-title="None"} | ||
| {: tab-group="access-ref-iam-platform"} |
| Action | CLI command | API call |
|---|---|---|
| View information for an Ingress ALB. | ibmcloud ks alb get |
|
| View ALB types that are supported in the region. | ibmcloud ks alb types |
GET /albtypes |
| List all Ingress ALBs in a cluster. | ibmcloud ks alb ls |
|
| View the name and email address for the owner of the {{site.data.keyword.cloud_notm}} IAM API key for a resource group and region. | ibmcloud ks api-key info |
GET /v1/logging/{idOrName}/clusterkeyowner |
| Download Kubernetes configuration data and certificates to connect to your cluster and run kubectl commands. | ibmcloud ks cluster config |
GET /v1/clusters/{idOrName}/config |
| View information for a cluster. | ibmcloud ks cluster get |
|
| List all services in all namespaces that are bound to a cluster. | ibmcloud ks cluster service ls |
GET /v1/clusters/{idOrName}/services |
| List all clusters. | ibmcloud ks cluster ls |
|
| Get the infrastructure credentials that are set for the {{site.data.keyword.cloud_notm}} account to access a different IBM Cloud infrastructure portfolio. | ibmcloud ks credential get |
GET /v1/credentials |
| Check whether the credentials that allow access to the IBM Cloud infrastructure portfolio for the targeted region and resource group are missing suggested or required infrastructure permissions. | ibmcloud ks infra-permissions get |
GET /v1/infra-permissions |
| View the status for automatic updates of the Fluentd add-on. | ibmcloud ks logging autoupdate get |
GET /v1/logging/{idOrName}/updatepolicy |
| View the default logging endpoint for the targeted region. | - | GET /v1/logging/{idOrName}/default |
| List all log forwarding configurations in the cluster or for a specific log source in the cluster. | ibmcloud ks logging config get |
GET /v1/logging/{idOrName}/loggingconfig and GET /v1/logging/{idOrName}/loggingconfig/{logSource} |
| View information for a log filtering configuration. | ibmcloud ks logging filter get |
GET /v1/logging/{idOrName}/filterconfigs/{id} |
| List all logging filter configurations in the cluster. | ibmcloud ks logging filter get |
GET /v1/logging/{idOrName}/filterconfigs |
| List all services that are bound to a specific namespace. | - | GET /v1/clusters/{idOrName}/services/{namespace} |
| List all IBM Cloud infrastructure subnets that are bound to a cluster. | - | GET /v1/clusters/{idOrName}/subnets |
| List all user-managed subnets that are bound to a cluster. | - | GET /v1/clusters/{idOrName}/usersubnets |
| List available subnets. | ibmcloud ks subnets |
|
| View the VLAN spanning status for the infrastructure account. | ibmcloud ks vlan spanning get |
GET /v1/subnets/vlan-spanning |
| When set for one cluster: List VLANs that the cluster is connected to in a zone. When set for all clusters in the account: List all available VLANs in a zone. |
ibmcloud ks vlan ls |
GET /v1/datacenters/{datacenter}/vlans |
| List all VPCs in the targeted resource group. | ibmcloud ks vpcs |
GET /v2/vpc/getVPCs |
| List all webhooks for a cluster. | - | GET /v1/clusters/{idOrName}/webhooks |
| View information for a worker node. | ibmcloud ks worker get |
|
| View information for a worker pool. | ibmcloud ks worker-pool get |
|
| List all worker pools in a cluster. | ibmcloud ks worker-pool ls |
|
| List all worker nodes in a cluster. | ibmcloud ks worker ls |
|
| {: class="simple-tab-table"} | ||
| {: caption="Overview of permissions required for CLI commands and API calls in {{site.data.keyword.containerlong_notm}}." caption-side="top"} | ||
| {: #accessreftabtableview} | ||
| {: tab-title="Viewer"} | ||
| {: tab-group="access-ref-iam-platform"} |
| Action | CLI command | API call |
|---|---|---|
| Disable automatic updates for the Ingress ALB add-on. | ibmcloud ks alb autoupdate disable |
PUT /clusters/{idOrName}/updatepolicy |
| Enable automatic updates for the Ingress ALB add-on. | ibmcloud ks alb autoupdate enable |
PUT /clusters/{idOrName}/updatepolicy |
| Check whether automatic updates for the Ingress ALB add-on are enabled. | ibmcloud ks alb autoupdate get |
GET /clusters/{idOrName}/updatepolicy |
| Enable or disable an Ingress ALB in a classic cluster. | ibmcloud ks alb configure classic |
POST /albs and DELETE /albs/{albId} |
| Enable or disable an Ingress ALB in a VPC cluster. | ibmcloud ks alb configure vpc-classic |
POST /v2/alb/vpc/enableAlb and POST /v2/alb/vpc/disableAlb |
| Roll back the Ingress ALB add-on update to the build that your ALB pods were previously running. | ibmcloud ks alb rollback |
PUT /clusters/{idOrName}/updaterollback |
| Force a one-time update of your ALB pods by manually updating the Ingress ALB add-on. | ibmcloud ks alb update |
PUT /clusters/{idOrName}/update |
| Create an API server audit webhook. | ibmcloud ks cluster master audit-webhook set |
PUT /v1/clusters/{idOrName}/apiserverconfigs/auditwebhook |
| Delete an API server audit webhook. | ibmcloud ks cluster master audit-webhook unset |
DELETE /v1/clusters/{idOrName}/apiserverconfigs/auditwebhook |
| Bind a service to a cluster. Note: You must have the Cloud Foundry Developer role for the space that you service instance is in. | ibmcloud ks cluster service bind |
POST /v1/clusters/{idOrName}/services |
| Unbind a service from a cluster. Note: You must have the Cloud Foundry Developer role for the space that you service instance is in. | ibmcloud ks cluster service unbind |
DELETE /v1/clusters/{idOrName}/services/{namespace}/{serviceInstanceId} |
| Create a log forwarding configuration for all log sources except kube-audit. | ibmcloud ks logging config create |
POST /v1/logging/{idOrName}/loggingconfig/{logSource} |
| Refresh a log forwarding configuration. | ibmcloud ks logging refresh |
PUT /v1/logging/{idOrName}/refresh |
| Delete a log forwarding configuration for all log sources except kube-audit. | ibmcloud ks logging config rm |
DELETE /v1/logging/{idOrName}/loggingconfig/{logSource}/{id} |
| Delete all log forwarding configurations for a cluster. | - | DELETE /v1/logging/{idOrName}/loggingconfig |
| Update a log forwarding configuration. | ibmcloud ks logging config update |
PUT /v1/logging/{idOrName}/loggingconfig/{logSource}/{id} |
| Create a log filtering configuration. | ibmcloud ks logging filter create |
POST /v1/logging/{idOrName}/filterconfigs |
| Delete a log filtering configuration. | ibmcloud ks logging filter rm |
DELETE /v1/logging/{idOrName}/filterconfigs/{id} |
| Delete all logging filter configurations for the Kubernetes cluster. | - | DELETE /v1/logging/{idOrName}/filterconfigs |
| Update a log filtering configuration. | ibmcloud ks logging filter update |
PUT /v1/logging/{idOrName}/filterconfigs/{id} |
| Add one NLB IP address to an existing NLB subdomain. | ibmcloud ks nlb-dns add |
PUT /clusters/{idOrName}/add |
| Create a DNS subdomain to register an NLB IP address. | ibmcloud ks nlb-dns create |
POST /clusters/{idOrName}/register |
| List NLB subdomains and either the NLB IP addresses (classic clusters) or the load balancer hostnames (VPC clusters) that are registered with the DNS provider for each NLB subdomain. | ibmcloud ks nlb-dns ls |
|
| Remove an NLB IP address from a subdomain. | ibmcloud ks nlb-dns rm |
DELETE /clusters/{idOrName}/host/{nlbHost}/ip/{nlbIP}/remove |
| Configure and optionally enable a health check monitor for an existing NLB subdomain in a cluster. | ibmcloud ks nlb-dns monitor configure |
POST /health/clusters/{idOrName}/config |
| View the settings for an existing health check monitor. | ibmcloud ks nlb-dns monitor get |
GET /health/clusters/{idOrName}/host/{nlbHost}/config |
| Disable an existing health check monitor for a subdomain in a cluster. | ibmcloud ks nlb-dns monitor disable |
PUT /clusters/{idOrName}/health |
| Enable a health check monitor that you configured. | ibmcloud ks nlb-dns monitor enable |
PUT /clusters/{idOrName}/health |
| List the health check monitor settings for each NLB subdomain in a cluster. | ibmcloud ks nlb-dns monitor ls |
GET /health/clusters/{idOrName}/list |
| List the health check status of each IP address that is registered with an NLB subdomain in a cluster. | ibmcloud ks nlb-dns monitor status |
GET /health/clusters/{idOrName}/status |
| Create a webhook in a cluster. | ibmcloud ks webhook-create |
POST /v1/clusters/{idOrName}/webhooks |
| {: class="simple-tab-table"} | ||
| {: caption="Overview of permissions required for CLI commands and API calls in {{site.data.keyword.containerlong_notm}}." caption-side="top"} | ||
| {: #accessreftabtableedit} | ||
| {: tab-title="Editor"} | ||
| {: tab-group="access-ref-iam-platform"} |
| Action | CLI command | API call |
|---|---|---|
| Beta: Deploy or update a certificate from your {{site.data.keyword.cloudcerts_long_notm}} instance to an ALB. | ibmcloud ks alb cert deploy |
POST /albsecrets or PUT /albsecrets |
| Beta: View details for an ALB secret in a cluster. | ibmcloud ks alb cert get |
GET /clusters/{idOrName}/albsecrets |
| Beta: Remove an ALB secret from a cluster. | ibmcloud ks alb cert rm |
DELETE /clusters/{idOrName}/albsecrets |
| List all ALB secrets in a cluster. | ibmcloud ks alb cert ls |
- |
| Set the API key for the {{site.data.keyword.cloud_notm}} account to access the linked IBM Cloud infrastructure portfolio. | ibmcloud ks api-key reset |
POST /v1/keys |
| Disable a managed add-on, such Istio or Knative, in a cluster. | ibmcloud ks cluster addon disable |
PATCH /v1/clusters/{idOrName}/addons |
| Enable a managed add-on, such Istio or Knative, in a cluster. | ibmcloud ks cluster addon enable |
PATCH /v1/clusters/{idOrName}/addons |
| List managed add-ons, such as Istio or Knative, that are enabled in a cluster. | ibmcloud ks cluster addons |
GET /v1/clusters/{idOrName}/addons |
| Create a free or standard cluster on classic infrastructure. Note: The Administrator platform role for {{site.data.keyword.registrylong_notm}} and the Super User infrastructure role are also required. | ibmcloud ks cluster create classic |
POST /v1/clusters |
| Create a classic cluster in your Virtual Private Cloud (VPC). Note: The Administrator platform role for VPC Infrastructure, the Administrator platform role for {{site.data.keyword.registrylong_notm}} at the account level, and the Writer or Manager service role for {{site.data.keyword.containerlong_notm}} are also required. | ibmcloud ks cluster create vpc-classic |
POST /v2/vpc/createCluster |
| Disable a specified feature for a cluster, such as the public service endpoint for the cluster master. | ibmcloud ks cluster feature disable |
- |
| Enable a specified feature for a cluster, such as the private service endpoint for the cluster master. | ibmcloud ks cluster feature enable |
- |
| Delete a cluster. | ibmcloud ks cluster rm |
DELETE /v1/clusters/{idOrName} |
| Set infrastructure credentials for the {{site.data.keyword.cloud_notm}} account to access a different IBM Cloud infrastructure portfolio. | ibmcloud ks credential set |
POST /v1/credentials |
| Remove infrastructure credentials for the {{site.data.keyword.cloud_notm}} account to access a different IBM Cloud infrastructure portfolio. | ibmcloud ks credential unset |
DELETE /v1/credentials |
| Beta: Encrypt Kubernetes secrets by using {{site.data.keyword.keymanagementservicefull}}. | ibmcloud ks key-protect-enable |
POST /v1/clusters/{idOrName}/kms |
| Disable automatic updates for the Fluentd cluster add-on. | ibmcloud ks logging autoupdate disable |
PUT /v1/logging/{idOrName}/updatepolicy |
| Enable automatic updates for the Fluentd cluster add-on. | ibmcloud ks logging autoupdate enable |
PUT /v1/logging/{idOrName}/updatepolicy |
| Collect a snapshot of API server logs in an {{site.data.keyword.cos_full_notm}} bucket. | ibmcloud ks logging collect |
POST /v1/log-collector/{idOrName}/masterlogs |
| See the status of the API server logs snapshot request. | ibmcloud ks logging collect-status |
GET /v1/log-collector/{idOrName}/masterlogs |
| Create a log forwarding configuration for the kube-audit log source. | ibmcloud ks logging config create |
POST /v1/logging/{idOrName}/loggingconfig/{logSource} |
| Delete a log forwarding configuration for the kube-audit log source. | ibmcloud ks logging config rm |
DELETE /v1/logging/{idOrName}/loggingconfig/{logSource}/{id} |
| {: class="simple-tab-table"} | ||
| {: caption="Overview of permissions required for CLI commands and API calls in {{site.data.keyword.containerlong_notm}}." caption-side="top"} | ||
| {: #accessreftabtableadmin} | ||
| {: tab-title="Administrator"} | ||
| {: tab-group="access-ref-iam-platform"} |
{: #service}
Every user who is assigned an {{site.data.keyword.cloud_notm}} IAM service access role is also automatically assigned a corresponding Kubernetes role-based access control (RBAC) role in a specific namespace. To learn more about service access roles, see {{site.data.keyword.cloud_notm}} IAM service roles. Do not assign {{site.data.keyword.cloud_notm}} IAM platform roles at the same time as a service role. You must assign platform and service roles separately. {: shortdesc}
Looking for which Kubernetes actions each service role grants through RBAC? See Kubernetes resource permissions per RBAC role. To learn more about RBAC roles, see Assigning RBAC permissions and Extending existing permissions by aggregating cluster roles. {: tip}
The following table shows the Kubernetes resource permissions that are granted by each service role and its corresponding RBAC role.
| Service role | Corresponding RBAC role, binding, and scope | Kubernetes resource permissions |
|---|---|---|
| Reader role | When scoped to one namespace: view cluster role applied by the ibm-view role binding in that namespaceWhen scoped to all namespaces: view cluster role applied by the ibm-view role binding in each namespace of the cluster |
|
| Writer role | When scoped to one namespace: edit cluster role applied by the ibm-edit role binding in that namespaceWhen scoped to all namespaces: edit cluster role applied by the ibm-edit role binding in each namespace of the cluster |
|
| Manager role | When scoped to one namespace: admin cluster role applied by the ibm-operate role binding in that namespaceWhen scoped to all namespaces: cluster-admin cluster role applied by the ibm-admin cluster role binding that applies to all namespaces |
When scoped to one namespace:
When scoped to all namespaces:
|
| Any service role | **OpenShift clusters only**: All users of an OpenShift cluster are given the `basic-users` and `self-provisioners` cluster roles as applied by the `basic-users` and `self-provisioners` cluster role bindings. |
|
{: #rbac_ref}
Every user who is assigned an {{site.data.keyword.cloud_notm}} IAM service access role is also automatically assigned a corresponding, predefined Kubernetes role-based access control (RBAC) role. If you plan to manage your own custom Kubernetes RBAC roles, see Creating custom RBAC permissions for users, groups, or service accounts. {: shortdesc}
Wondering if you have the correct permissions to run a certain kubectl command on a resource in a namespace? Try the kubectl auth can-i command 
.
{: tip}
The following table shows the permissions that are granted by each RBAC role to individual Kubernetes resources. Permissions are shown as which verbs a user with that role can complete against the resource, such as "get", "list", "describe", "create", or "delete".
| Kubernetes resource | view |
edit |
admin and cluster-admin |
|---|---|---|---|
bindings |
get, list, watch |
get, list, watch |
get, list, watch**cluster-admin only:** create, delete, update |
configmaps |
get, list, watch |
create, delete, deletecollection, get, list, patch, update, watch |
create, delete, deletecollection, get, list, patch, update, watch |
cronjobs.batch |
get, list, watch |
create, delete, deletecollection, get, list, patch, update, watch |
create, delete, deletecollection, get, list, patch, update, watch |
daemonsets.apps |
get, list, watch |
create, delete, deletecollection, get, list, patch, update, watch |
create, delete, deletecollection, get, list, patch, update, watch |
daemonsets.extensions |
get, list, watch |
create, delete, deletecollection, get, list, patch, update, watch |
create, delete, deletecollection, get, list, patch, update, watch |
deployments.apps |
get, list, watch |
create, delete, deletecollection, get, list, patch, update, watch |
create, delete, deletecollection, get, list, patch, update, watch |
deployments.apps/rollback |
- | create, delete, deletecollection, get, list, patch, update, watch |
create, delete, deletecollection, get, list, patch, update, watch |
deployments.apps/scale |
get, list, watch |
create, delete, deletecollection, get, list, patch, update, watch |
create, delete, deletecollection, get, list, patch, update, watch |
deployments.extensions |
get, list, watch |
create, delete, deletecollection, get, list, patch, update, watch |
create, delete, deletecollection, get, list, patch, update, watch |
deployments.extensions/rollback |
- | create, delete, deletecollection, get, list, patch, update, watch |
create, delete, deletecollection, get, list, patch, update, watch |
deployments.extensions/scale |
get, list, watch |
create, delete, deletecollection, get, list, patch, update, watch |
create, delete, deletecollection, get, list, patch, update, watch |
endpoints |
get, list, watch |
create, delete, deletecollection, get, list, patch, update, watch |
create, delete, deletecollection, get, list, patch, update, watch |
events |
get, list, watch |
get, list, watch |
get, list, watch |
horizontalpodautoscalers.autoscaling |
get, list, watch |
create, delete, deletecollection, get, list, patch, update, watch |
create, delete, deletecollection, get, list, patch, update, watch |
ingresses.extensions |
get, list, watch |
create, delete, deletecollection, get, list, patch, update, watch |
create, delete, deletecollection, get, list, patch, update, watch |
jobs.batch |
get, list, watch |
create, delete, deletecollection, get, list, patch, update, watch |
create, delete, deletecollection, get, list, patch, update, watch |
limitranges |
get, list, watch |
get, list, watch |
get, list, watch |
localsubjectaccessreviews |
- | - | create |
namespaces |
get, list, watch |
get, list, watch |
get, list, watch**cluster-admin only:** create, delete |
namespaces/status |
get, list, watch |
get, list, watch |
get, list, watch |
networkpolicies |
get, list, watch |
create, delete, deletecollection, get, list, patch, update, watch |
create, delete, deletecollection, get, list, patch, update, watch |
networkpolicies.extensions |
get, list, watch |
create, delete, deletecollection, get, list, patch, update, watch |
create, delete, deletecollection, get, list, patch, update, watch |
node |
None | None | `admin` scoped to a namespace: None `cluster-admin` for all namespaces: All verbs |
persistentvolumeclaims |
get, list, watch |
create, delete, deletecollection, get, list, patch, update, watch |
create, delete, deletecollection, get, list, patch, update, watch |
poddisruptionbudgets.policy |
get, list, watch |
create, delete, deletecollection, get, list, patch, update, watch |
create, delete, deletecollection, get, list, patch, update, watch |
pods |
get, list, watch |
create, delete, deletecollection, get, list, patch, update, watch |
create, delete, deletecollection, get, list, top, patch, update, watch |
pods/attach |
- | create, delete, deletecollection, get, list, patch, update, watch |
create, delete, deletecollection, get, list, patch, update, watch |
pods/exec |
- | create, delete, deletecollection, get, list, patch, update, watch |
create, delete, deletecollection, get, list, patch, update, watch |
pods/log |
get, list, watch |
get, list, watch |
get, list, watch |
pods/portforward |
- | create, delete, deletecollection, get, list, patch, update, watch |
create, delete, deletecollection, get, list, patch, update, watch |
pods/proxy |
- | create, delete, deletecollection, get, list, patch, update, watch |
create, delete, deletecollection, get, list, patch, update, watch |
pods/status |
get, list, watch |
get, list, watch |
get, list, watch |
replicasets.apps |
get, list, watch |
create, delete, deletecollection, get, list, patch, update, watch |
create, delete, deletecollection, get, list, patch, update, watch |
replicasets.apps/scale |
get, list, watch |
create, delete, deletecollection, get, list, patch, update, watch |
create, delete, deletecollection, get, list, patch, update, watch |
replicasets.extensions |
get, list, watch |
create, delete, deletecollection, get, list, patch, update, watch |
create, delete, deletecollection, get, list, patch, update, watch |
replicasets.extensions/scale |
get, list, watch |
create, delete, deletecollection, get, list, patch, update, watch |
create, delete, deletecollection, get, list, patch, update, watch |
replicationcontrollers |
get, list, watch |
create, delete, deletecollection, get, list, patch, update, watch |
create, delete, deletecollection, get, list, patch, update, watch |
replicationcontrollers/scale |
get, list, watch |
create, delete, deletecollection, get, list, patch, update, watch |
create, delete, deletecollection, get, list, patch, update, watch |
replicationcontrollers/status |
get, list, watch |
get, list, watch |
get, list, watch |
replicationcontrollers.extensions/scale |
get, list, watch |
create, delete, deletecollection, get, list, patch, update, watch |
create, delete, deletecollection, get, list, patch, update, watch |
resourcequotas |
get, list, watch |
get, list, watch |
get, list, watch |
resourcequotas/status |
get, list, watch |
get, list, watch |
get, list, watch |
rolebindings |
- | - | create, delete, deletecollection, get, list, patch, update, watch |
roles |
- | - | create, delete, deletecollection, get, list, patch, update, watch |
secrets |
- | create, delete, deletecollection, get, list, patch, update, watch |
create, delete, deletecollection, get, list, patch, update, watch |
serviceaccounts |
get, list, watch |
create, delete, deletecollection, get, list, patch, update, watch, impersonate |
create, delete, deletecollection, get, list, patch, update, watch, impersonate |
services |
get, list, watch |
create, delete, deletecollection, get, list, patch, update, watch |
create, delete, deletecollection, get, list, patch, update, watch |
services/proxy |
- | create, delete, deletecollection, get, list, patch, update, watch |
create, delete, deletecollection, get, list, patch, update, watch |
statefulsets.apps |
get, list, watch |
create, delete, deletecollection, get, list, patch, update, watch |
create, delete, deletecollection, get, list, patch, update, watch |
statefulsets.apps/scale |
get, list, watch |
create, delete, deletecollection, get, list, patch, update, watch |
create, delete, deletecollection, get, list, patch, update, watch |
{: #cloud-foundry}
Cloud Foundry roles grant access to organizations and spaces within the account. To see the list of Cloud Foundry-based services in {{site.data.keyword.cloud_notm}}, run ibmcloud service list. To learn more, see all available org and space roles or the steps for managing Cloud Foundry access in the {{site.data.keyword.cloud_notm}} IAM documentation.
{: shortdesc}
The following table shows the Cloud Foundry roles that are required for cluster action permissions.
| Cloud Foundry role | Cluster management permissions |
|---|---|
| Space role: Manager | Manage user access to an {{site.data.keyword.cloud_notm}} space |
| Space role: Developer |
|
{: #infra}
A user with the Super User infrastructure access role sets the API key for a region and resource group so that infrastructure actions can be performed (or more rarely, manually sets different account credentials). Then, the infrastructure actions that other users in the account can perform is authorized through {{site.data.keyword.cloud_notm}} IAM platform roles. You do not need to edit the other users' classic infrastructure permissions. Use the following table to customize users' classic infrastructure permissions only when you can't assign Super User to the user who sets the API key. For instructions to assign permissions, see Customizing infrastructure permissions. {: shortdesc}
Classic infrastructure permissions apply only to classic clusters. For VPC clusters, see Assigning role-based access to VPC resources. {: note}
Need to check that the API key or manually-set credentials have the required and suggested infrastructure permissions? Use the ibmcloud ks infra-permissions get command.
{: tip}
The following table shows the classic infrastructure permissions that the credentials for a region and resource group can have for creating clusters and other common use cases. The description includes how you can assign the permission in the {{site.data.keyword.cloud_notm}} IAM Classic infrastructure console or the ibmcloud sl command. For more information, see the instructions for the console or CLI.
- Create clusters: Classic infrastructure permissions that you must have to create a cluster. When you run
ibmcloud ks infra-permissions get, these permissions are listed as Required. - Other common use cases: Classic infrastructure permissions that you must have for other common scenarios. Even if you have permission to create a cluster, some limitations might apply. For example, you might not be able to create or work with a cluster with bare metal worker nodes or a public IP address. After cluster creation, further steps to add networking or storage resources might fail. When you run
ibmcloud ks infra-permissions get, these permissions are listed as Suggested.
| Permission | Description | IAM Assign Policy Console | CLI |
|---|---|---|---|
| IPMI Remote Management | Manage worker nodes. | Classic infrastructure > Permissions > Devices | |
| Add Server | Add worker nodes. Note: For worker nodes that have public IP addresses, you also need the Add Compute with Public Network Port permission in the Network category. |
Add Server: Classic infrastructure > Permissions > Account Add Compute with Public Network Port: Classic infrastructure > Permissions > Network |
Add Server: |
| Cancel Server | Delete worker nodes. | Classic infrastructure > Permissions > Account | |
| OS Reloads and Rescue Kernel | Update, reboot, and reload worker nodes. | Classic infrastructure > Permissions > Devices | |
| View Virtual Server Details | Required if the cluster has VM worker nodes. List and get details of VM worker nodes. | Classic infrastructure > Permissions > Devices | |
| View Hardware Details | Required if the cluster has bare metal worker nodes. List and get details of bare metal worker nodes. | Classic infrastructure > Permissions > Devices | |
| Add Support Case | As part of the cluster creation automation, support cases are opened to provision the cluster infrastructure. | Assign access to account management services > Support Center > Administrator | |
| Edit Support Case | As part of the cluster creation automation, support cases are updated to provision the cluster infrastructure. | Assign access to account management services > Support Center > Administrator | |
| View Support Case | As part of the cluster creation automation, support cases are used to provision the cluster infrastructure. | Assign access to account management services > Support Center > Administrator | |
| {: class="simple-tab-table"} | |||
| {: caption="Required classic infrastructure permissions" caption-side="top"} | |||
| {: #classic-permissions-required} | |||
| {: tab-title="Create clusters"} | |||
| {: tab-group="Classic infrastructure permissions"} |
| Permission | Description | IAM Assign Policy Console | CLI |
|---|---|---|---|
| Access All Virtual | Designate access to all VM worker nodes. Without this permission, a user who creates one cluster might not be able to view the VM worker nodes of another cluster even if the user has IAM access to both clusters. | Classic infrastructure > Devices > Check All virtual servers and Auto virtual server access | |
| Access All Hardware | Designate access to all bare metal worker nodes. Without this permission, a user who creates one cluster might not be able to view the bare metal worker nodes of another cluster even if the user has IAM access to both clusters. | Classic infrastructure > Devices > Check All virtual servers and Auto virtual server access | |
| Add Compute with Public Network Port | Let worker nodes have a port that can be accessible on the public network. | Classic infrastructure > Permissions > Network | |
| Manage DNS | Set up public load balancer or Ingress networking to expose apps. | Classic infrastructure > Permissions > Services | |
| Edit Hostname/Domain | Set up public load balancer or Ingress networking to expose apps. | Classic infrastructure > Permissions > Devices | |
| Add IP Addresses | Add IP addresses to public or private subnets that are used for cluster load balancing. | Classic infrastructure > Permissions > Network | |
| Manage Network Subnet Routes | Manage public and private VLANs and subnets that are used for cluster load balancing. | Classic infrastructure > Permissions > Network | |
| Manage Port Control | Manage ports that are used for app load balancing. | Classic infrastructure > Permissions > Devices | |
| Manage Certificates (SSL) | Set up certificates that are used for cluster load balancing. | Classic infrastructure > Permissions > Services | |
| View Certificates (SSL) | Set up certificates that are used for cluster load balancing. | Classic infrastructure > Permissions > Services | |
| Add/Upgrade Storage (StorageLayer) | Create {{site.data.keyword.cloud_notm}} File or Block storage instances to attach as volumes to your apps for persistent storage of data. | Classic infrastructure > Permissions > Account | |
| Storage Manage | Manage {{site.data.keyword.cloud_notm}} File or Block storage instances that are attached as volumes to your apps for persistent storage of data. | Classic infrastructure > Permissions > Services | |
| {: class="simple-tab-table"} | |||
| {: caption="Suggested classic infrastructure permissions" caption-side="top"} | |||
| {: #classic-permissions-suggested} | |||
| {: tab-title="Other common use cases"} | |||
| {: tab-group="Classic infrastructure permissions"} |