Permissions required
These RBAC permissions are mandatory for the installation of the ARMO chart.
Cluster roles
| Name | apiGroups | Resources | Verbs |
|---|---|---|---|
| kollector | "pods", "namespaces", "cronjobs", "secrets", "nodes", "services" | - get - watch - list | |
| apps | "deployments", "statefulsets", "daemonsets", "replicasets" | - get - watch - list | |
| batch | "jobs", "cronjobs" | - get - watch - list | |
| kubescape | "pods", "pods/proxy", "namespaces", "secrets", "nodes", "configmaps", "services", "serviceaccounts", "endpoints", "persistentvolumeclaims", "limitranges", "replicationcontrollers", "podtemplates", "resourcequotas", "events" | - get - watch - list | |
| "namespaces" | - update | ||
| admissionregistration.k8s.io | "mutatingwebhookconfigurations", "validatingwebhookconfigurations" | - get - watch - list | |
| apiregistration.k8s.io | "apiservices" | - get - watch - list | |
| apps | "deployments", "statefulsets", "daemonsets", "replicasets", "controllerrevisions" | - get - watch - list | |
| autoscaling | "horizontalpodautoscalers" | - get - watch - list | |
| batch | "jobs", "cronjobs" | - get - watch - list | |
| coordination.k8s.io | "leases" | - get - watch - list | |
| discovery.k8s.io | "endpointslices" | - get - watch - list | |
| events.k8s.io | "events" | - get - watch - list | |
| hostdata.kubescape.cloud | "APIServerInfo", "ControlPlaneInfo" | - get - watch - list | |
| networking.k8s.io | "networkpolicies", "Ingress" | - get - watch - list | |
| policy | "poddisruptionbudgets", "podsecuritypolicies", "PodSecurityPolicy" | - get - watch - list | |
| rbac.authorization.k8s.io | "clusterroles", "clusterrolebindings", "roles", "rolebindings" | - get - watch - list | |
| storage.k8s.io | "csistoragecapacities" | - get - watch - list | |
| networking.k8s.io | "ingresses" | - get - watch - list | |
| extensions | "Ingress" | - get - watch - list | |
| spdx.softwarecomposition.kubescape.io | "workloadconfigurationscans", "workloadconfigurationscansummaries" | - create - update - patch | |
| kubevuln | spdx.softwarecomposition.kubescape.io | "vulnerabilitymanifests", "vulnerabilitymanifestsummaries", "sbomsummaries", "sbomspdxv2p3s" | - create - get - update - watch - list - patch |
| spdx.softwarecomposition.kubescape.io | "sbomspdxv2p3filtereds" | - get - watch - list | |
| node-agent | "pods", "nodes" | - get - watch - list | |
| "events" | - list - watch - create | ||
| apps | "deployments", "daemonsets", "statefulsets", "replicasets" | - get - watch - list | |
| batch | "jobs", "cronjobs" | - get - watch - list | |
| spdx.softwarecomposition.kubescape.io | "sbomspdxv2p3s", "sbomsummaries" | - get - watch - list | |
| spdx.softwarecomposition.kubescape.io | "sbomspdxv2p3filtereds", "applicationactivities", "applicationprofiles", "applicationprofilesummaries" | - create - get - update - watch - list - patch | |
| operator | "pods", "nodes", "namespaces", "configmaps", "secrets" | - get - watch - list | |
| apps | "deployments", "daemonsets", "statefulsets", "replicasets" | - get - watch - list | |
| batch | "jobs", "cronjobs" | - get - watch - list | |
| spdx.softwarecomposition.kubescape.io | "sbomspdxv2p3s", "sbomspdxv2p3filtereds", "vulnerabilitymanifests", "sbomsummaries", "vulnerabilitymanifestsummaries", "workloadconfigurationscans", "workloadconfigurationscansummaries" | - get - watch - list - delete | |
| storage | namespaces | - get - watch - list | |
| admissionregistration.k8s.io | "mutatingwebhookconfigurations", "validatingwebhookconfigurations" | - get - watch - list | |
| flowcontrol.apiserver.k8s.io | "prioritylevelconfigurations", "flowschemas" | - get - watch - list |
Cluster Role Bindings
| Name | roleRef (kind/name) | Subjects (kind/namespace/name) |
|---|---|---|
| kollector | ClusterRole/kollector | ServiceAccount/kubescape/kollector |
| kubescape | ClusterRole/kubescape | ServiceAccount/kubescape/kubescape |
| kubevuln | ClusterRole/kubevuln | ServiceAccount/kubescape/kubevuln |
| node-agent | ClusterRole/node-agent | ServiceAccount/kubescape/node-agent |
| operator | ClusterRole/operator | ServiceAccount/kubescape/operator |
| storage | ClusterRole/storage system:auth-delegator | ServiceAccount/kubescape/storage |
Roles
| Name | apiGroups | Resources | Verbs |
|---|---|---|---|
| kubescape | apps | daemonsets | - create - get - update - watch - list - patch - delete |
| operator | "configmaps", "secrets" | - create - get - update - watch - list - patch - delete | |
| batch | "cronjobs" | - create - get - update - watch - list - patch - delete |
Role Bindings
| Name | roleRef (kind/name) | Subjects (kind/namespace/name) |
|---|---|---|
| kubescape | Role/kubescape | ServiceAccount/kubescape/kubescape |
| operator | Role/operator | ServiceAccount/kubescape/operator |
Updated 5 months ago