Cluster roles for Kubeturbo

A cluster role specifies the permissions and privileges that are required to perform the following operations.

Operation Supported role

Deploy Kubeturbo

Operation	Supported role
Deploy Kubeturbo	To deploy Kubeturbo to a cluster, you must have the `cluster-admin` role in the given cluster. This role has sufficient privileges to create a namespace and cluster role binding for the service account.
Monitor and optimize workloads in your cluster	The role that you choose for Kubeturbo determines its level of access to your cluster. By default, Kubeturbo deploys to your cluster with the `cluster-admin` role. This role has full control over every resource in the cluster. If you prefer a custom role, you must explicitly set that role when you deploy Kubeturbo. The following custom roles are supported: `turbo-cluster-admin` custom role This custom role specifies the minimum permissions that Kubeturbo needs to monitor your workloads and execute the actions that Turbonomic generated to optimize these workloads. For more information on adding a reference to the YAML with the permissions, see this YAML resource. For more information on the `turbo-cluster-admin` custom role, see the next section in this topic. `turbo-cluster-reader` custom role This custom role is the least privileged role. It specifies the minimum permissions that Kubeturbo needs to monitor your workloads. Actions that Turbonomic generated to optimize these workloads can only be executed outside of Turbonomic (for example, in your cluster). For more information on adding a reference to the YAML with the permissions, see this YAML resource. For more information on `turbo-cluster-reader` custom role, see the last section in this topic.

To deploy Kubeturbo to a cluster, you must have the cluster-admin role in the given cluster. This role has sufficient privileges to create a namespace and cluster role binding for the service account.

Monitor and optimize workloads in your cluster

The role that you choose for Kubeturbo determines its level of access to your cluster. By default, Kubeturbo deploys to your cluster with the cluster-admin role. This role has full control over every resource in the cluster. If you prefer a custom role, you must explicitly set that role when you deploy Kubeturbo. The following custom roles are supported:

turbo-cluster-admin custom role
This custom role specifies the minimum permissions that Kubeturbo needs to monitor your workloads and execute the actions that Turbonomic generated to optimize these workloads.
For more information on adding a reference to the YAML with the permissions, see this YAML resource.
For more information on the turbo-cluster-admin custom role, see the next section in this topic.
turbo-cluster-reader custom role
This custom role is the least privileged role. It specifies the minimum permissions that Kubeturbo needs to monitor your workloads. Actions that Turbonomic generated to optimize these workloads can only be executed outside of Turbonomic (for example, in your cluster).
For more information on adding a reference to the YAML with the permissions, see this YAML resource.
For more information on turbo-cluster-reader custom role, see the last section in this topic.

Turbonomic cluster admin custom role

apiGroups	Resources	Verbs	Description
`“”` `batch`	`pods` `jobs`	`"*"`	Needed to take automated actions on all pods and jobs.
`“”` `apps` `apps.openshift.io` `extensions` `turbonomic.com` `devops.turbonomic.io` `redis.redis.opstreelabs.in` `charts.helm.k8s.io`	`deployments` `replicasets` `replicationcontrollers` `statefulsets` `daemonsets` `deploymentconfigs` `resourcequotas` `operatorresourcemappings` `operatorresourcemappings/status` `redis` `xls`	`get` `list` `watch` `update` `patch`	Needed to take automated resize actions on all resources in the list.
`“”` `apps` `batch` `extensions` `policy` `app.k8s.io` `argoproj.io` `apiextensions.k8s.io` `config.openshift.io` `policy.turbonomic.io`	`nodes` `services` `endpoints` `namespaces` `limitranges` `persistentvolumes` `persistentvolumeclaims` `poddisruptionbudget` `cronjobs` `applications` `customresourcedefinitions` `clusterversions` `slohorizontalscales` `containerverticalscales` `policybindings`	`get` `list` `watch`	Needed to discover all resources in the list.
`machine.openshift.io`	`machines` `machinesets`	`get` `list` `update`	Needed in Red Hat OpenShift to automate node provision and suspend actions using `machinesets`.
`“”`	`nodes/spec` `nodes/stats` `nodes/metrics` `nodes/proxy` `nodes/log`	`get`	Needed to discover all resources in the list.
`security.openshift.io`	`securitycontextconstraints`	`list` `use`	Needed in Red Hat OpenShift to use Security Context Constraint (SCC) for automated actions.
`“”`	`serviceaccounts`	`create` `delete` `impersonate`	For Red Hat OpenShift, Kubeturbo creates a temporary service account that is bound to the required SCC, impersonates that account so the admission controller evaluates the actions with the correct privileges, and then deletes the account when the action is executed. For Kubernetes, SCC admission is not enforced. Verbs are normally unused so you can remove them. The `get` verb is read only and is safe to keep on every cluster for simple discovery needs.
`rbac.authorization.k8s.io`	`roles` `rolebindings` `clusterroles` `clusterrolebindings`	`create` `delete` `update`	Needed to create the required resources in the cluster to automate actions. Kubeturbo automatically creates such resources based on the role and updates them over time as needed.
`“”`	`secrets`	`get` `watch`	Needed for Kubeturbo to read the secret that stores the details on how to connect to Turbonomic.

Turbonomic cluster reader custom role

apiGroups Resources Verbs Description

apiGroups	Resources	Verbs	Description
`“”` `apps` `app.k8s.io` `apps.openshift.io` `batch` `extensions` `turbonomic.com` `devops.turbonomic.io` `policy.turbonomic.io` `config.openshift.io`	`nodes` `pods` `deployments` `replicasets` `replicationcontrollers` `services` `endpoints` `namespaces` `limitranges` `resourcequotas` `persistentvolumes` `persistentvolumeclaims` `applications` `jobs` `cronjobs` `statefulsets` `daemonsets` `deploymentconfigs` `operatorresourcemappings` `clusterversions` `slohorizontalscales` `containerverticalscales` `policybindings`	`get` `watch` `list`	Discovers and reads all resources
`machine.openshift.io`	`machines` `machinesets`	`get` `list`	Discovers and reads all `machinesets` in Red Hat OpenShift
`“”`	`nodes/spec` `nodes/stats` `nodes/metrics` `nodes/proxy`	`get`	Discovers and reads all details for nodes

“”

apps

app.k8s.io

apps.openshift.io

batch

extensions

turbonomic.com

devops.turbonomic.io

policy.turbonomic.io

config.openshift.io

nodes

pods

deployments

replicasets

replicationcontrollers

services

endpoints

namespaces

limitranges

resourcequotas

persistentvolumes

persistentvolumeclaims

applications

jobs

cronjobs

statefulsets

daemonsets

deploymentconfigs

operatorresourcemappings

clusterversions

slohorizontalscales

containerverticalscales

policybindings

get

watch

list

Discovers and reads all resources

machine.openshift.io

machines

machinesets

get

list

Discovers and reads all machinesets in Red Hat OpenShift

“” nodes/spec nodes/stats nodes/metrics nodes/proxy get Discovers and reads all details for nodes