Cluster roles for Kubeturbo

A cluster role specifies the permissions and privileges that are required to perform the following operations.

Operation Supported role
Deploy Kubeturbo

To deploy Kubeturbo to a cluster, you must have the cluster-admin role in the given cluster. This role has sufficient privileges to create a namespace and cluster role binding for the service account.

Monitor and optimize workloads in your cluster The role that you choose for Kubeturbo determines its level of access to your cluster. By default, Kubeturbo deploys to your cluster with the cluster-admin role. This role has full control over every resource in the cluster. If you prefer a custom role, you must explicitly set that role when you deploy Kubeturbo. The following custom roles are supported:
  • turbo-cluster-admin custom role

    This custom role specifies the minimum permissions that Kubeturbo needs to monitor your workloads and execute the actions that Turbonomic generated to optimize these workloads.

    For more information on adding a reference to the YAML with the permissions, see this YAML resource.

    For more information on the turbo-cluster-admin custom role, see the next section in this topic.

  • turbo-cluster-reader custom role

    This custom role is the least privileged role. It specifies the minimum permissions that Kubeturbo needs to monitor your workloads. Actions that Turbonomic generated to optimize these workloads can only be executed outside of Turbonomic (for example, in your cluster).

    For more information on adding a reference to the YAML with the permissions, see this YAML resource.

    For more information on turbo-cluster-reader custom role, see the last section in this topic.

Turbonomic cluster admin custom role

apiGroups Resources Verbs Description
“”

batch

pods

jobs

"*" Needed to take automated actions on all pods and jobs.
“”

apps

apps.openshift.io

extensions

turbonomic.com

devops.turbonomic.io

redis.redis.opstreelabs.in

charts.helm.k8s.io

deployments

replicasets

replicationcontrollers

statefulsets

daemonsets

deploymentconfigs

resourcequotas

operatorresourcemappings

operatorresourcemappings/status

redis

xls

get

list

watch

update

patch

Needed to take automated resize actions on all of the resources in the list.
“”

apps

batch

extensions

policy

app.k8s.io

argoproj.io

apiextensions.k8s.io

config.openshift.io

policy.turbonomic.io

nodes

services

endpoints

namespaces

limitranges

persistentvolumes

persistentvolumeclaims

poddisruptionbudget

cronjobs

applications

customresourcedefinitions

clusterversions

slohorizontalscales

containerverticalscales

policybindings

get

list

watch

Needed to discover all off the resources in the list.
machine.openshift.io machines

machinesets

get

list

update

Needed to automate node provision and suspend in Red Hat OpenShift using machinesets.
“” nodes/spec

nodes/stats

nodes/metrics

nodes/proxy

nodes/log

get Needed to discover all off the resources in the list.
security.openshift.io securitycontextconstraints list

use

Needed in Red Hat OpenShift to use scc for automated action.
“” serviceaccounts create

delete

impersonate

Needed to create, delete and impersonate service accounts for use in automated actions. Kubeturbo also creates a separate service account for every scc in use for automating actions with resources using those cc.
rbac.authorization.k8s.io roles

rolebindings

clusterroles

clusterrolebindings

create

delete

update

Needed to create the required resources in the cluster to automate actions. Kubeturbo will autocreate such resources based on the role and update them overtime as needed.
“” secrets get

watch

Needed for Kubeturbo to read the secret that stores the details on how to connect to .

Turbonomic cluster reader custom role

apiGroups Resources Verbs Description
“”

apps

app.k8s.io

apps.openshift.io

batch

extensions

turbonomic.com

devops.turbonomic.io

policy.turbonomic.io

config.openshift.io

nodes

pods

deployments

replicasets

replicationcontrollers

services

endpoints

namespaces

limitranges

resourcequotas

persistentvolumes

persistentvolumeclaims

applications

jobs

cronjobs

statefulsets

daemonsets

deploymentconfigs

operatorresourcemappings

clusterversions

slohorizontalscales

containerverticalscales

policybindings

get

watch

list

Discover/read all of the resources.
machine.openshift.io machines

machinesets

get

list

Discover/read all of the machinesets in Red Hat OpenShift.
“” nodes/spec nodes/stats nodes/metrics nodes/proxy get Discover/read all of the nodes details.