Roles and permissions created in AWS RBAC

This page lists the RBAC service accounts with the roles and permissions created when deploying to the Kubernetes cluster. For more information, see Adding an AWS user to a Kubernetes cluster’s RBAC configuration, and Using RBAC Authorization.

The service accounts are listed below:

rabbitmq

Bound to role

endpoint-reader

API groups

  • none

    • endpoints (get)

xebialabs-nfs-client-provisioner

Bound to role

xebialabs-leader-locking-nfs-client-provisioner

API groups

  • none

    • endpoints (get,list,watch,create,update,patch)

Bound to cluster role

xebialabs-nfs-client-provisioner-runner

API groups

  • none

    • persistentvolumes (get,list,watch,create,delete)
    • persistentvolumeclaims (get,list,watch,update)
    • events (create,update,patch)
  • storage.k8s.io

    • storageclasses (get,list,watch)

haproxy-ingress-serviceaccount

Bound to role

ingress-controller

API groups

  • none

    • configmaps (get)
    • pods (get)
    • secrets (get)
    • namespaces (get)
    • configmaps (get,update)
    • configmaps (create)

Bound to cluster role

xebialabs-ingress-controller

API groups

  • none

    • configmaps (list,watch)
    • endpoints (list,watch)
    • nodes (list,watch)
    • pods (list,watch)
    • secrets (list,watch)
    • nodes (get)
    • services (get,list,watch)
    • events (create,patch)
  • extensions

    • ingresses (get,list,watch)

efs-provisioner

Bound to cluster role

xebialabs-efs-provisioner

API groups

  • none

    • persistentvolumes (get,list,watch,create,delete)
    • persistentvolumeclaims (get,list,watch,update)
    • events (create,update,patch,list,get)
  • storage.k8s.io

    • storageclasses (get,list,watch)

prometheus

Bound to cluster role

xebialabs-prometheus

API groups

  • none

    • nodes (get, list, watch)
    • services (get, list, watch)
    • endpoints (get, list, watch)
    • pods (get, list, watch)
    • nodes/proxy (get, list, watch)
    • configmaps (get)

fluentd-es

Bound to cluster role

xebialabs-fluentd-es

API groups

  • none

    • namespaces (get,watch,list)
    • pods (get,watch,list)

elasticsearch-logging

Bound to cluster role

xebialabs-elasticsearch-logging

API groups

  • none

    • services (get)
    • namespaces (get)
    • endpoints (get)

kube-state-metrics

Bound to cluster role

xebialabs-kube-state-metrics

API groups

  • none

    • configmaps (list, watch)
    • secrets (list, watch)
    • nodes (list, watch)
    • pods (list, watch)
    • services (list, watch)
    • resourcequotas (list, watch)
    • replicationcontrollers (list, watch)
    • limitranges (list, watch)
    • persistentvolumeclaims (list, watch)
    • persistentvolumes (list, watch)
    • namespaces (list, watch)
    • endpoints (list, watch)
  • extensions

    • daemonsets (list, watch)
    • deployments (list, watch)
    • replicasets (list, watch)
    • ingresses (list, watch)
  • apps

    • daemonsets (list, watch)
  • deployments (list, watch)

    • replicasets (list, watch)
    • statefulsets (list, watch)
  • batch

    • cronjobs (list, watch)
    • jobs (list, watch)
  • autoscaling

    • horizontalpodautoscalers (list, watch)
  • policy

    • poddisruptionbudgets (list, watch)