Required Helm Role Access Permissions

The user account that deploys MATRIXX has specific Helm role requirements.

The following Helm role access permissions are required for the deployer user in the matrixx namespace:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: matrixx
  name: deployer
rules:
  # Core/Apps/Matrixx
  - apiGroups:
      - ""
      - extensions
      - apps
      - batch
      - matrixx.com
    resources:
      - deployments
      - deployments.apps
      - deployments/scale
      - statefulsets
      - statefulsets.apps
      - pods
      - pods/status
      - pods/exec
      - jobs
      - services
      - endpoints
      - configmaps
      - serviceaccounts
      - secrets
      - persistentvolumeclaims
      - mtxengines
      - mtxsubdomains
      - mtxsubdomains/finalizers
    verbs:
      - get
      - list
      - watch
      - create
      - update
      - patch
      - delete
​
  # Networking
  - apiGroups:
      - extensions
      - "networking.k8s.io"
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
      - create
      - update
      - patch
      - delete
​
  # Security
  - apiGroups:
      - "rbac.authorization.k8s.io"
    resources:
      - roles
      - rolebindings
    verbs:
      - get
      - list
      - watch
      - create
      - update
      - patch
      - delete
​
  # Monitoring
  - apiGroups:
      - "monitoring.coreos.com"
    resources:
      - servicemonitors
    verbs:
      - get
      - list
      - watch
      - create
      - update
      - patch
      - delete
​
  # Kopf Operator
  - apiGroups:
      - zalando.org
      - ""
      - "events.k8s.io"
    resources:
      - kopfpeerings
      - events
    verbs:
      - get
      - list
      - watch
      - create
      - update
      - patch
      - delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: deployer
  namespace: matrixx
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: deployer
subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: User
    name: deployer
    namespace: matrixx
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: deployer
rules:
  # Persistent Volumes
  - apiGroups:
      - ""
      - extensions
      - apps
    resources:
      - persistentvolumes
    verbs:
      - get
      - list
      - watch
      - create
      - update
      - patch
      - delete
  # CRDS
  - apiGroups:
      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions
    verbs:
      - get
      - list
      - watch
      - create
      - update
      - patch
      - delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: deployer
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: deployer
subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: User
    name: deployer
    namespace: matrixx

For information about the roles that Helm creates and assigns to service accounts, see the discussion about role-based access control (RBAC) in MATRIXX Configuration.