Prerequisites Kubernetes Permissions

Kubernetes Permissions

Overview

The xDP Dataplane uses an automatic deployment model. The Acceldata deployer must be configured in the target Kubernetes cluster before proceeding. The user initiating the deployment needs the minimum permissions described below.

Required User Permissions

ClusterRole

YAML
    
xxxxxxxxxx
 
apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRolemetadata:  name: cluster-resource-managerrules:  - apiGroups: ["rbac.authorization.k8s.io"]    resources: ["clusterroles"]    verbs: ["get", "list", "watch", "update", "patch", "create", "delete", "bind", "escalate"]  - apiGroups: ["rbac.authorization.k8s.io"]    resources: ["clusterrolebindings"]    verbs: ["get", "list", "watch", "update", "patch", "create", "delete"]  - apiGroups: ["apiextensions.k8s.io"]    resources: ["customresourcedefinitions"]    verbs: ["*"]
Copy

Namespace Role

Replace <YOUR_NAMESPACE> with the target deployment namespace.

YAML
    
xxxxxxxxxx
 
apiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata:  name: resource-manager  namespace: <YOUR_NAMESPACE>rules:  - apiGroups: ["*"]    resources: ["*"]    verbs: ["*"]
Copy

Automated Service Account Configuration

When the user has the permissions above, the deployment init script automatically creates the following roles. These are granted to the Helm wrapper deployer to enable application chart installation and management.

ClusterRole: `helm-wrapper-<KUBERNETES_NAMESPACE>`

Scope: Cluster-wide

YAML
    
xxxxxxxxxx
 
apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRolemetadata:  name: helm-wrapper-<KUBERNETES_NAMESPACE>rules:  - apiGroups: ["rbac.authorization.k8s.io"]    resources: ["clusterroles"]    verbs: ["get", "list", "watch", "update", "patch", "create", "delete", "bind", "escalate"]  - apiGroups: ["rbac.authorization.k8s.io"]    resources: ["clusterrolebindings"]    verbs: ["get", "list", "watch", "update", "patch", "create", "delete"]  - apiGroups: ["apiextensions.k8s.io"]    resources: ["customresourcedefinitions"]    verbs: ["*"]
Copy

Capabilities:

Full management of CustomResourceDefinitions (CRDs)
Create, modify, and bind ClusterRoles and ClusterRoleBindings

Role: `helm-wrapper-namespace-admin`

Scope: Namespaced (target namespace only)

YAML
    
xxxxxxxxxx
 
apiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata:  name: helm-wrapper-namespace-adminrules:  - apiGroups: ["*"]    resources: ["*"]    verbs: ["*"]
Copy

Capabilities:

Full administrative access to all API groups and resources within the namespace
Create, modify, and delete all namespaced resources including deployments, services, configmaps, secrets, roles, and role bindings

Purpose

These permissions enable the deployer to:

Install application Helm charts that define or depend on CRDs
Apply cluster-level RBAC configurations as required
Fully manage application components and permissions within the deployment namespace

The deployer operates independently within the target namespace while holding limited cluster-level capabilities for CRDs and RBAC.

Last updated on

Was this page helpful?