Karmada Component Permissions

This document provides a detailed explanation of the resources each Karmada component needs to access and the reasons for these accesses. It will help administrators understand and configure the RBAC permissions needed for Karmada components effectively, ensuring that the system operates securely and efficiently. The installation tools maintained by the community are designed with security in mind. These tools use Role-Based Access Control (RBAC) to manage access to components, ensuring they only have access to the resources they require. By adhering to the principle of least privilege, these tools minimize potential security risks and prevent unauthorized access or actions within the system.

karmada-operator

Introduction:

The Karmada operator is a method for installing, upgrading, and deleting Karmada instances. It builds upon the basic Karmada resource and controller concepts, provides convenience to centrally manage entire lifecycle of Karmada instances in a global cluster.

Resources in Cluster Where karmada-operator is deployed

ResourceAPI GroupResource NamesNamespaceVerbsDescription
leasescoordination.k8s.ioget, create, updateRequired for leader election
karmadasoperator.karmada.ioget, list, watch, updateTo manage Karmada instances
karmadas/statusoperator.karmada.ioupdateTo update the status subresource of Karmada instances
events“”createAllows karmada-operator to record events in the Kubernetes API server
nodes“”NAlistTo get Node IP
pods“”listFor pod health checks
namespaces“”getTo get information about namespaces, and deploy resources into specific namespaces
secrets“”get, create, update, deleteTo manage secrets which might contain sensitive data like credentials
services“”get, create, update, deleteTo manage services to expose applications within the cluster
statefulsets“”get, create, update, deleteTo manage StatefulSets, e.g., etcd
deploymentsapps*get, create, update, deleteTo manage Deployments, e.g., karmada-apiserver
Non-Resource URLsVerbsDescription
/healthzgetUsed to check whether the Karmada API server is healthy.

Resources in Karmada System

NONE.

karmada-agent

Introduction:

karmada-agent can register a specific cluster to the Karmada control plane and sync manifests from the Karmada control plane to the member cluster. In addition, it also syncs the status of member cluster and manifests to the Karmada control plane.

Resources in Cluster Where karmada-agent is deployed

ResourceAPI GroupResource NamesNamespaceVerbsDescription
*karmada-agent acts as an administrator in member clusters
Non-Resource URLsVerbsDescription
*getkarmada-agent acts as an administrator in member clusters

Resources in Karmada System

In the following table, {{cluster_name}} represents the name of the member cluster that has been registered by the karmada-agent, and {{cluster_namespace}} indicates the namespace where the secrets resource of the member cluster is deployed, which is karmada-cluster by default.

ResourceAPI GroupResource NamesNamespaceVerbsDescription
clusterscluster.karmada.ioNAlist, watch,createUsed to create cluster and listen for cluster status
clusterscluster.karmada.io{{cluster_name}}NAget, deleteTo manager specific clusters
clusters/statuscluster.karmada.io{{cluster_name}}NAupdateUsed to update the status of a specific cluster
resourceinterpreterwebhookconfigurationsconfig.karmada.ioNAget, list, watchUsed to get the resourceinterpreterwebhookconfigurations resource
resourceinterpretercustomizationsconfig.karmada.ioNAget, list, watchUsed to get the resourceinterpretercustomizations resource
namespaces“”getUsed to get namespaces
leasescoordination.k8s.ioget, create, updateRequired for leader election
certificatesigningrequestscertificates.k8s.ioNAget, createObtaining and creating CSRs for Karmada-agent’s certificate rotation
services“”list, watchUsed to build the ClusterIPServiceResolver resource interpreter.
events“”create, patch, updateAllow karmada-agent to log events in Karmada API Server
secrets“”{{cluster_name}}{{cluster_namespace}}get, patchFor accessing and modifying specific secret resources
secrets“”{{cluster_namespace}}createUsed to create secret resources
workswork.karmada.iokarmada-es-{{cluster_name}}get, create, list, watch, update, deleteUsed to create and manage work resources in a specific namespace
works/statuswork.karmada.io*karmada-es-{{cluster_name}}patch, updateUsed to update the status of work in a specific namespace

Other components

Permission information for more components to be added.