To successfully run rtfctl
commands, you must understand and enable specific role permissions over Kubernetes resources.
The following table lists the permissions that you configure using Kubernetes (K8s) RBACs (role-based access control):
rtfctl Command | Namespace | API Groups | Kubernetes Resources | Verbs |
---|---|---|---|---|
|
rtf |
configmaps |
create, get, patch, update |
|
pods |
deletecollection |
|||
<app-namespace> |
secrets |
get, list, watch |
||
namespaces |
get, list, watch |
|||
secrets |
create, get, patch, update |
|||
|
rtf |
configmaps, secrets |
get |
|
|
rtf |
configmaps, secret |
get |
|
apps |
daemonsets, deployments |
get, list, watch |
||
|
rtf |
configmaps, pods/log |
get |
|
pods |
get, list, watch |
|||
secrets |
create, get |
|||
serviceaccounts |
create |
|||
batch |
jobs |
create, get |
||
namespaces |
create |
|||
rbac.authorization.k8s.io |
clusterrolebindings, clusterroles |
create |
||
|
configmaps, namespaces, secrets, serviceaccounts, services |
get, list, watch |
||
apiextensions.k8s.io |
customresourcedefinitions |
get |
||
apps |
daemonsets, deployments |
get, list, watch |
||
batch |
cronjobs |
get, list, watch |
||
networking.k8s.io |
ingresses |
get, list, watch |
||
rbac.authorization.k8s.io |
clusterrolebindings, clusterroles, rolebindings, roles |
get, list, watch |
||
rtf.mulesoft.com |
persistencegateways |
get, list, watch |
||
scheduling.k8s.io |
priorityclasses |
get |
||
|
rtf |
apps |
daemonsets |
create, get, patch, update |
batch |
cronjobs |
create, get, patch, update |
||
rtf.mulesoft.com |
persistencegateways |
get, list, watch |
||
configmaps, namespaces, secrets, serviceaccounts, services |
create, get, patch, update |
|||
apiextensions.k8s.io |
customresourcedefinitions |
get, patch, update |
||
apps |
deployments |
create, get, patch, update |
||
networking.k8s.io |
ingresses |
create, get, patch, update |
||
rbac.authorization.k8s.io |
clusterrolebindings, clusterroles |
create, get, patch, update |
||
scheduling.k8s.io |
priorityclasses |
create, get, patch, update |
||
|
rtf |
configmaps |
get |
|
pods |
deletecollection |
|||
secrets |
delete, get |
|||
batch |
jobs |
delete |
||
rtf-validate |
namespaces |
delete, get |
||
pods/log |
get |
|||
secrets, serviceaccounts |
create |
|||
batch |
jobs |
create, get |
||
namespaces |
create |
|||
nodes, pods |
get, list, watch |
|||
authorization.k8s.io |
selfsubjectaccessreviews |
create |
||
rbac.authorization.k8s.io |
clusterrolebindings, clusterroles |
create, delete |
||
|
rtf |
configmaps, secrets |
get |
|
|
<app-namespace> |
pods |
get, list, watch |
|
secrets |
get, list, patch, update, watch |
|||
rtf |
configmaps, secrets |
get |
||
|
<app-namespace> |
pods |
get, list, watch |
|
rtf |
configmaps, secrets |
get |
||
apps |
deployments |
get, list, watch |
||
|
<app-namespace> |
pods |
get, list, watch |
|
pods/exec |
create |
|||
rtf |
configmaps, secrets |
get |
||
|
<app-namespace> |
pods |
get, list, watch |
|
pods/exec |
create |
|||
rtf |
configmaps, secrets |
get |
||
|
<app-namespace> |
pods |
get, list, watch |
|
pods/exec |
create |
|||
rtf |
configmaps, secrets |
get |
||
|
<app-namespace> |
pods |
delete, get, list, watch |
|
rtf |
configmaps, secrets |
get |
||
|
<app-namespace> |
pods |
get, list, watch |
|
pods/exec |
create |
|||
rtf |
configmaps, secrets |
get |
||
|
<app-namespace> |
secrets |
get, list, watch |
|
pods/exec |
create |
|||
rtf |
configmaps, secrets |
get |
||
|
<app-namespace> |
secrets |
get, list, watch |
|
rtf |
configmaps, secrets |
get |
||
apps |
deployments |
get, list, watch |
||
|
rtf |
configmaps, limitranges, resourcequotas, secrets, serviceaccounts, services |
get, list, watch |
|
endpoints, pods/log |
get |
|||
apps |
daemonsets, deployments, replicasets |
get, list, watch |
||
batch |
cronjobs |
get, list, watch |
||
batch |
jobs |
create, delete, get, list, watch |
||
networking.k8s.io |
ingresses |
get, list, watch |
||
rbac.authorization.k8s.io |
roldebindings, roles |
get, list, watch |
||
rtf.mulesoft.com |
persistencegateways |
get, list, watch |
||
kube-node-lease |
coordination.k8s.io |
leases |
get |
|
events, namespaces, nodes, pods |
get, list, watch |
|||
|
rtf |
configmaps, pods/log, secrets |
get |
|
pods |
create, delete, get, list, watch |
|||
batch |
jobs |
create, delete, get |
||
|
rtf |
configmaps, pods/log, secrets |
get |
|
pods |
create, delete, get, list, watch |
|||
batch |
jobs |
create, delete, get |
||
nodes |
get, list, watch |
-
Namespace
Permissions can be role-based or cluster role-based:
-
Role-based: the namespace can be rtf, <app-namespace>, rtf-validate, or kube-node-lease.
-
Cluster role-based: because it applies to the entire cluster, the namespace field doesn’t exist and is blank in the table.
-
apiGroups
The API group for the K8s resources. When you create a role, each K8s resource declares its API group or uses the core API group if not specified. Refer to API groups for details.
-
Kubernetes Resource
Type of Kubernetes resources, for example,
pods
,services
, orsecrets
to which the permissions apply. -
Verbs
Actions that are allowed on the specified Kubernetes resources.