Required Helm Role Access Permissions
The user account that deploys MATRIXX Digital Commerce has specific Helm role requirements.
The following Helm role access permissions are required given a user
deployer
in the matrixx
namespace.
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: matrixx
name: deployer
rules:
# Core/Apps/Matrixx
- apiGroups:
- ""
- extensions
- apps
- batch
- matrixx.com
resources:
- deployments
- deployments.apps
- deployments/scale
- statefulsets
- statefulsets.apps
- pods
- pods/status
- pods/exec
- jobs
- services
- endpoints
- configmaps
- serviceaccounts
- secrets
- persistentvolumeclaims
- mtxengines
- mtxtras
- mtxsubdomains
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
# Networking
- apiGroups:
- extensions
- "networking.k8s.io"
resources:
- ingresses
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
# Security
- apiGroups:
- "rbac.authorization.k8s.io"
resources:
- roles
- rolebindings
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
# Monitoring
- apiGroups:
- "monitoring.coreos.com"
resources:
- servicemonitors
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
# Kopf Operator
- apiGroups:
- zalando.org
- ""
- "events.k8s.io"
resources:
- kopfpeerings
- events
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: deployer
namespace: matrixx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: deployer
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: deployer
namespace: matrixx
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: deployer
rules:
# Persistent Volumes
- apiGroups:
- ""
- extensions
- apps
resources:
- persistentvolumes
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
# CRDS
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: deployer
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: deployer
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: deployer
namespace: matrixx
For information about the roles that Helm creates and assigns to service accounts, see the discussion about role based access control (RBAC).