copyright

lastupdated

keywords

subcollection

years
2014, 2021

2021-03-22

kubernetes, iks, infrastructure, rbac, policy

containers

{:DomainName: data-hd-keyref="APPDomain"} {:DomainName: data-hd-keyref="DomainName"} {:android: data-hd-operatingsystem="android"} {:api: .ph data-hd-interface='api'} {:apikey: data-credential-placeholder='apikey'} {:app_key: data-hd-keyref="app_key"} {:app_name: data-hd-keyref="app_name"} {:app_secret: data-hd-keyref="app_secret"} {:app_url: data-hd-keyref="app_url"} {:authenticated-content: .authenticated-content} {:beta: .beta} {:c#: data-hd-programlang="c#"} {:cli: .ph data-hd-interface='cli'} {:codeblock: .codeblock} {:curl: .ph data-hd-programlang='curl'} {:deprecated: .deprecated} {:dotnet-standard: .ph data-hd-programlang='dotnet-standard'} {:download: .download} {:external: target="_blank" .external} {:faq: data-hd-content-type='faq'} {:fuzzybunny: .ph data-hd-programlang='fuzzybunny'} {:generic: data-hd-operatingsystem="generic"} {:generic: data-hd-programlang="generic"} {:gif: data-image-type='gif'} {:go: .ph data-hd-programlang='go'} {:help: data-hd-content-type='help'} {:hide-dashboard: .hide-dashboard} {:hide-in-docs: .hide-in-docs} {:important: .important} {:ios: data-hd-operatingsystem="ios"} {:java: .ph data-hd-programlang='java'} {:java: data-hd-programlang="java"} {:javascript: .ph data-hd-programlang='javascript'} {:javascript: data-hd-programlang="javascript"} {:new_window: target="_blank"} {:note .note} {:note: .note} {:objectc data-hd-programlang="objectc"} {:org_name: data-hd-keyref="org_name"} {:php: data-hd-programlang="php"} {:pre: .pre} {:preview: .preview} {:python: .ph data-hd-programlang='python'} {:python: data-hd-programlang="python"} {:route: data-hd-keyref="route"} {:row-headers: .row-headers} {:ruby: .ph data-hd-programlang='ruby'} {:ruby: data-hd-programlang="ruby"} {:runtime: architecture="runtime"} {:runtimeIcon: .runtimeIcon} {:runtimeIconList: .runtimeIconList} {:runtimeLink: .runtimeLink} {:runtimeTitle: .runtimeTitle} {:screen: .screen} {:script: data-hd-video='script'} {:service: architecture="service"} {:service_instance_name: data-hd-keyref="service_instance_name"} {:service_name: data-hd-keyref="service_name"} {:shortdesc: .shortdesc} {:space_name: data-hd-keyref="space_name"} {:step: data-tutorial-type='step'} {:subsection: outputclass="subsection"} {:support: data-reuse='support'} {:swift: .ph data-hd-programlang='swift'} {:swift: data-hd-programlang="swift"} {:table: .aria-labeledby="caption"} {:term: .term} {:tip: .tip} {:tooling-url: data-tooling-url-placeholder='tooling-url'} {:troubleshoot: data-hd-content-type='troubleshoot'} {:tsCauses: .tsCauses} {:tsResolve: .tsResolve} {:tsSymptoms: .tsSymptoms} {:tutorial: data-hd-content-type='tutorial'} {:ui: .ph data-hd-interface='ui'} {:unity: .ph data-hd-programlang='unity'} {:url: data-credential-placeholder='url'} {:user_ID: data-hd-keyref="user_ID"} {:vbnet: .ph data-hd-programlang='vb.net'} {:video: .video}

User access permissions

{: #access_reference}

When you assign cluster permissions, it can be hard to judge which role you need to assign to a user. Use the tables in the following sections to determine the minimum level of permissions that are required to perform common tasks in {{site.data.keyword.containerlong}}. {: shortdesc}

Permissions to create a cluster

{: #cluster_create_permissions}

Review the minimum permissions in {{site.data.keyword.cloud_notm}} IAM that the account owner must set up so that users can create clusters in {{site.data.keyword.containerlong_notm}}. {: shortdesc}

API key for each region and resource group

The API key is used to provide the underlying access to infrastructure and other account resources. For more information, see [Setting up the API key to enable access to the infrastructure portfolio](/docs/containers?topic=containers-users#api_key).

**IAM Services**

**Administrator** platform access role for **Kubernetes Service** in the console (**containers-kubernetes** in the API or CLI) in **All resource groups**.
**Writer** or **Manager** service access role for **Kubernetes Service** in the console (**containers-kubernetes** in the API or CLI) in **All resource groups**.
**Administrator** platform access role for **Container Registry** in the console (**container-registry** in the API or CLI) at the **Account** level. Do not limit policies for {{site.data.keyword.registrylong_notm}} to the resource group level.
If you plan to [expose apps with Ingress](/docs/containers?topic=containers-ingress-about), assign the user **Administrator** or **Editor** platform access role and the **Manager** service access role for **{{site.data.keyword.cloudcerts_short}}** in **All resource groups**.
**Viewer** platform access role for the resource group access.
If your account [restricts service ID creation](/docs/account?topic=account-restrict-service-id-create), the **Service ID creator** role to **Identity and Access Management** in the console (`iam-identity` in the API or CLI).
If your account [restricts API key creation](/docs/account?topic=account-allow-api-create), the **User API key creator** role to **Identity and Access Management** in the console (`iam-identity` in the API or CLI).
If you plan to [encrypt your cluster](/docs/containers?topic=containers-encryption#keyprotect):
- Assign the user the appropriate permission to the key management service (KMS) provider, such as the **Administrator** platform access role for {{site.data.keyword.keymanagementserviceshort}}.
- For clusters that run Kubernetes 1.18.8_1525 or later: When you enable KMS encryption, an additional **Reader** [service-to-service authorization policy](/docs/account?topic=account-serviceauth) between {{site.data.keyword.containerlong_notm}} and {{site.data.keyword.keymanagementserviceshort}} is automatically created for your cluster, if the policy does not already exist. Without this policy, your cluster cannot use all the [{{site.data.keyword.keymanagementserviceshort}} features](/docs/containers?topic=containers-encryption#kms-keyprotect-features).
**Viewer** platform access role for the resource group access.

**Infrastructure**

Classic clusters only: **Super User** role or the [minimum required permissions](#infra) for classic infrastructure.
VPC clusters only: **Administrator** platform access role for [**VPC Infrastructure**](/docs/vpc?topic=vpc-iam-getting-started).

User that creates the cluster

In addition to the API key, each individual user must have the following permissions to create a cluster.

**Administrator** platform access role for **Kubernetes Service** in the console (**containers-kubernetes** in the API or CLI). If your access is scoped to a resource group or region, you must also have the **Viewer** platform access role at the **Account** level to view the account's VLANs.
**Administrator** platform access role for **Container Registry** in the console (**container-registry** in the API or CLI) at the **Account** level.
**Viewer** platform access role to **IAM Identity Service** for account management access.
**Viewer** platform access role for the resource group access.

More information about assigning permissions:

To understand how access works and how to assign users roles in {{site.data.keyword.cloud_notm}} IAM, see Setting up access to your cluster.
To create clusters, see Preparing to create clusters at the account level.
For permissions that you might set up for different types of users such as auditors, see Example use cases and roles.

{{site.data.keyword.cloud_notm}} IAM platform access roles

{: #iam_platform}

{{site.data.keyword.containerlong_notm}} is configured to use {{site.data.keyword.cloud_notm}} Identity and Access Management (IAM) roles. {{site.data.keyword.cloud_notm}} IAM platform access roles determine the actions that users can perform on {{site.data.keyword.cloud_notm}} resources such as clusters, worker nodes, and Ingress application load balancers (ALBs). {{site.data.keyword.cloud_notm}} IAM platform access roles also automatically set basic infrastructure permissions for users. To assign platform access roles, see Granting users access to your cluster through {{site.data.keyword.cloud_notm}} IAM. {: shortdesc}

Do not assign {{site.data.keyword.cloud_notm}} IAM platform access roles at the same time as a service access role. You must assign platform and service access roles separately.

Actions requiring no permissions: Any user in your account who runs the CLI command or makes the API call for the action sees the result, even if the user has no assigned permissions.
Viewer actions: The Viewer platform access role includes the actions that require no permissions, plus the permissions that are shown in the Viewer tab of following table. With the Viewer role, users such as auditors or billing can see cluster details but not modify the infrastructure.
Editor actions: The Editor platform access role includes the permissions that are granted by Viewer, plus the following. With the Editor role, users such as developers can bind services, work with Ingress resources, and set up log forwarding for their apps but cannot modify the infrastructure. Tip: Use this role for app developers, and assign the Cloud Foundry Developer role.
Operator actions: The Operator platform access role includes the permissions that are granted by Viewer, plus the permissions that are shown in the Operator tab of the following table. With the Operator role, users such as site reliability engineers, DevOps engineers, or cluster administrators can add worker nodes and troubleshoot infrastructure such as by reloading a worker node, but cannot create or delete the cluster, change the credentials, or set up cluster-wide features like service endpoints or managed add-ons.
Administrator actions: The Administrator platform access role includes all permissions that are granted by the Viewer, Editor, and Operator roles, plus the permissions that are show in the Administrator tab of the following table. With the Administrator role, users such as cluster or account administrators can create and delete clusters or set up cluster-wide features like service endpoints or managed add-ons. To create order such infrastructure resources such as worker node machines, VLANs, and subnets, Administrator users need the Super user infrastructure role or the API key for the region must be set with the appropriate permissions.

The following table shows the permissions granted by each {{site.data.keyword.cloud_notm}} IAM platform access role. Each tab is organized alphabetically by CLI command name.

Action	CLI command	API call
View a list of supported versions for managed add-ons in {{site.data.keyword.containerlong_notm}}.	`ibmcloud ks addon-versions`	`GET /v1/addon`
Target or view the API endpoint for {{site.data.keyword.containerlong_notm}}.	`ibmcloud ks api`	-
View a list of supported commands and parameters.	`ibmcloud ks help`	-
Initialize the {{site.data.keyword.containerlong_notm}} plug-in or specify the region where you want to create or access Kubernetes clusters.	`ibmcloud ks init`	-
Deprecated: View a list of Kubernetes versions supported in {{site.data.keyword.containerlong_notm}}.	`ibmcloud ks kube-versions`	`GET /v1/kube-versions`
View a list of available flavors for your worker nodes.	`ibmcloud ks flavors` (machine-types)	`GET /v2/getFlavors`
View current messages for the IBMid user.	`ibmcloud ks messages`	`GET /v1/messages`
View a list of supported locations in {{site.data.keyword.containerlong_notm}}.	`ibmcloud ks locations`	`GET /v1/locations`
View a list of supported versions in {{site.data.keyword.containerlong_notm}}.	`ibmcloud ks versions`	-
View a list of available zones that you can create a cluster in.	`ibmcloud ks zone ls`	Classic: `GET /v1/zones` VPC: `GET /v2/vpc/getZones`
{: class="simple-tab-table"}
{: caption="Overview of permissions required for CLI commands and API calls in {{site.data.keyword.containerlong_notm}}." caption-side="top"}
{: #accessreftabtablenone}
{: tab-title="None"}
{: tab-group="access-ref-iam-platform"}

Action	CLI command	API call
View information for an Ingress ALB.	`ibmcloud ks ingress alb get`	Classic: `GET /v1/albs/{albId}` VPC: `GET /v2/alb/getAlb`
View the Ingress migration status for a cluster.	`ibmcloud ks ingress alb migrate status`	`GET /v2/alb/getMigrationstatus`
List all Ingress ALBs in a cluster.	`ibmcloud ks ingress alb ls`	Classic: `GET /v1/clusters/{idOrName}` VPC: `GET /v2/alb/getClusterAlbs`
Get the configuration of load balancers that expose Ingress ALBs in your cluster.	`ibmcloud ks ingress lb get`	`GET /ingress/v2/load-balancer/configuration`
View the name and email address for the owner of the {{site.data.keyword.cloud_notm}} IAM API key for a resource group and region.	`ibmcloud ks api-key info`	`GET /v1/logging/{idOrName}/clusterkeyowner`
Download Kubernetes configuration data and certificates to connect to your cluster and run kubectl commands.	`ibmcloud ks cluster config`	`GET /v1/clusters/{idOrName}/config`
View information for a cluster.	`ibmcloud ks cluster get`	Provider-agnostic: `GET /v2/getCluster` Classic: `GET /v1/clusters/{idOrName}` VPC: `GET /v2/vpc/getCluster`
List all services in all namespaces that are bound to a cluster.	`ibmcloud ks cluster service ls`	`GET /v1/clusters/{idOrName}/services`
List all clusters.	`ibmcloud ks cluster ls`	Classic: `GET /v1/clusters` VPC: `GET /v2/vpc/getClusters`
Get the infrastructure credentials that are set for the {{site.data.keyword.cloud_notm}} account to access a different classic infrastructure portfolio.	`ibmcloud ks credential get`	`GET /v1/credentials`
Check whether the credentials that allow access to the classic IBM Cloud infrastructure portfolio for the targeted region and resource group are missing suggested or required infrastructure permissions.	`ibmcloud ks infra-permissions get`	`GET /v1/infra-permissions`
View the status for automatic updates of the Fluentd add-on.	`ibmcloud ks logging autoupdate get`	`GET /v1/logging/{idOrName}/updatepolicy`
View the default logging endpoint for the targeted region.	-	`GET /v1/logging/{idOrName}/default`
List all log forwarding configurations in the cluster or for a specific log source in the cluster.	`ibmcloud ks logging config get`	`GET /v1/logging/{idOrName}/loggingconfig` and `GET /v1/logging/{idOrName}/loggingconfig/{logSource}`
View information for a log filtering configuration.	`ibmcloud ks logging filter get`	`GET /v1/logging/{idOrName}/filterconfigs/{id}`
List all logging filter configurations in the cluster.	`ibmcloud ks logging filter get`	`GET /v1/logging/{idOrName}/filterconfigs`
List all services that are bound to a specific namespace.	-	`GET /v1/clusters/{idOrName}/services/{namespace}`
List all IBM Cloud infrastructure subnets that are bound to a cluster.	-	`GET /v1/clusters/{idOrName}/subnets`
List all user-managed subnets that are bound to a cluster.	-	`GET /v1/clusters/{idOrName}/usersubnets`
List available subnets in all resource groups.	`ibmcloud ks subnets`	Classic: `GET /v1/subnets` VPC: `GET /v2/vpc/getSubnets`
View the VLAN spanning status for the infrastructure account.	`ibmcloud ks vlan spanning get`	`GET /v1/subnets/vlan-spanning`
When set for one cluster: List VLANs that the cluster is connected to in a zone. When set for all clusters in the account: List all available VLANs in a zone.	`ibmcloud ks vlan ls`	`GET /v1/datacenters/{datacenter}/vlans`
List all VPCs in the targeted resource group.	`ibmcloud ks vpcs`	`GET /v2/vpc/getVPCs`
List all webhooks for a cluster.	-	`GET /v1/clusters/{idOrName}/webhooks`
View information for a worker node.	`ibmcloud ks worker get`	Provider-agnostic: `GET /v2/getWorker` Classic: `GET /v2/classic/getWorker` VPC: `GET /v2/vpc/getWorker`
View information for a worker pool.	`ibmcloud ks worker-pool get`	Classic: `GET /v1/clusters/{idOrName}/workerpools/{poolidOrName}` VPC: `GET /v2/getWorkerPool`
List all worker pools in a cluster.	`ibmcloud ks worker-pool ls`	Classic: `GET /v1/clusters/{idOrName}/workerpools` VPC: `GET /v2/getWorkerPools`
List all worker nodes in a cluster.	`ibmcloud ks worker ls`	Provider-agnostic: `GET/v2/getWorkers` Classic: `GET /v2/classic/getWorkers` VPC: `GET /v2/vpc/getWorkers`
{: class="simple-tab-table"}
{: caption="Overview of permissions required for CLI commands and API calls in {{site.data.keyword.containerlong_notm}}." caption-side="top"}
{: summary="The rows are read from left to right. The first column is the action that you can take with {{site.data.keyword.containerlong_notm}} service. The second column is the name of the action in the command line interface (CLI). The third column is the name of the action in the application programming interface (API)."}
{: #accessreftabtableview}
{: tab-title="Viewer"}
{: tab-group="access-ref-iam-platform"}

Action	CLI command	API call
Disable automatic updates for the Ingress ALB add-on.	`ibmcloud ks ingress alb autoupdate disable`	`PUT /v1/clusters/{idOrName}/updatepolicy`
Enable automatic updates for the Ingress ALB add-on.	`ibmcloud ks ingress alb autoupdate enable`	`PUT /v1/clusters/{idOrName}/updatepolicy`
Check whether automatic updates for the Ingress ALB add-on are enabled.	`ibmcloud ks ingress alb autoupdate get`	`GET /v1/clusters/{idOrName}/updatepolicy`
Enable or disable an Ingress ALB in a classic cluster.	`ibmcloud ks ingress alb configure classic`	`POST /v1/albs` and `DELETE /v1/albs/{albId}`
Create an Ingress ALB in a classic cluster.	`ibmcloud ks ingress alb create classic`	`POST /v1/clusters/{idOrName}/zone/{zoneId}`
Force a one-time update of your Ingress ALB pods.	`ibmcloud ks ingress alb update`	`PUT /v1/alb/versions`
View the available images and image versions for Ingress ALBs in your cluster.	`ibmcloud ks ingress alb versions`	`PUT /v1/alb/clusters/{idOrName}/update`
Create an API server audit webhook.	`ibmcloud ks cluster master audit-webhook set`	`PUT /v1/clusters/{idOrName}/apiserverconfigs/auditwebhook`
Delete an API server audit webhook.	`ibmcloud ks cluster master audit-webhook unset`	`DELETE /v1/clusters/{idOrName}/apiserverconfigs/auditwebhook`
Bind a service to a cluster. Note: You must have the Cloud Foundry Developer role for the space that you service instance is in.	`ibmcloud ks cluster service bind`	`POST /v1/clusters/{idOrName}/services`
Unbind a service from a cluster. Note: You must have the Cloud Foundry Developer role for the space that you service instance is in.	`ibmcloud ks cluster service unbind`	`DELETE /v1/clusters/{idOrName}/services/{namespace}/{serviceInstanceId}`
Create a log forwarding configuration.	`ibmcloud ks logging config create`	`POST /v1/logging/{idOrName}/loggingconfig/{logSource}`
Refresh a log forwarding configuration.	`ibmcloud ks logging refresh`	`PUT /v1/logging/{idOrName}/refresh`
Delete a log forwarding configuration.	`ibmcloud ks logging config rm`	`DELETE /v1/logging/{idOrName}/loggingconfig/{logSource}/{id}`
Delete all log forwarding configurations for a cluster.	-	`DELETE /v1/logging/{idOrName}/loggingconfig`
Update a log forwarding configuration.	`ibmcloud ks logging config update`	`PUT /v1/logging/{idOrName}/loggingconfig/{logSource}/{id}`
Create a log filtering configuration.	`ibmcloud ks logging filter create`	`POST /v1/logging/{idOrName}/filterconfigs`
Delete a log filtering configuration.	`ibmcloud ks logging filter rm`	`DELETE /v1/logging/{idOrName}/filterconfigs/{id}`
Delete all logging filter configurations for the Kubernetes cluster.	-	`DELETE /v1/logging/{idOrName}/filterconfigs`
Update a log filtering configuration.	`ibmcloud ks logging filter update`	`PUT /v1/logging/{idOrName}/filterconfigs/{id}`
Configure and optionally enable a health check monitor for an existing NLB subdomain in a cluster.	`ibmcloud ks nlb-dns monitor configure`	`POST /v1/health/clusters/{idOrName}/config`
View the settings for an existing health check monitor.	`ibmcloud ks nlb-dns monitor get`	`GET /v1/health/clusters/{idOrName}/host/{nlbHost}/config`
Disable an existing health check monitor for a subdomain in a cluster.	`ibmcloud ks nlb-dns monitor disable`	`PUT /v1/clusters/{idOrName}/health`
Enable a health check monitor that you configured.	`ibmcloud ks nlb-dns monitor enable`	`PUT /v1/clusters/{idOrName}/health`
List the health check monitor settings for each NLB subdomain in a cluster.	`ibmcloud ks nlb-dns monitor ls`	`GET /v1/health/clusters/{idOrName}/list`
List the health check status of each IP address that is registered with an NLB subdomain in a cluster.	`ibmcloud ks nlb-dns monitor status`	`GET /v1/health/clusters/{idOrName}/status`
Add one NLB IP address to an existing NLB subdomain.	`ibmcloud ks nlb-dns add`	`PUT /v1/clusters/{idOrName}/add`
Create a DNS subdomain to register an NLB IP address.	`ibmcloud ks nlb-dns create classic`	`POST /v1/clusters/{idOrName}/register`
List NLB subdomains and either the NLB IP addresses (classic clusters) or the load balancer hostnames (VPC clusters) that are registered with the DNS provider for each NLB subdomain.	`ibmcloud ks nlb-dns ls`	Classic: `GET /v1/clusters/{idOrName}/list` VPC: `GET /v2/nlb-dns/getNlbDNSList`
Replace the VPC load balancer hostname for a subdomain.	`ibmcloud ks nlb-dns replace`	`POST /v2/nlb-dns/vpc/replaceLBHostname`
Remove an NLB IP address from a subdomain.	`ibmcloud ks nlb-dns rm classic`	`DELETE /v1/clusters/{idOrName}/host/{nlbHost}/ip/{nlbIP}/remove`
Regenerate the certificate and secret for an NLB subdomain.	`ibmcloud ks nlb-dns secret regenerate`	`POST /v2/nlb-dns/regenerateCert`
Delete a secret from an NLB subdomain and prevent future renewal of the certificate.	`ibmcloud ks nlb-dns secret rm`	`POST /v2/nlb-dns/deleteSecret`
Create a webhook in a cluster.	`ibmcloud ks webhook-create`	`POST /v1/clusters/{idOrName}/webhooks`
{: class="simple-tab-table"}
{: caption="Overview of permissions required for CLI commands and API calls in {{site.data.keyword.containerlong_notm}}." caption-side="top"}
{: summary="The rows are read from left to right. The first column is the action that you can take with {{site.data.keyword.containerlong_notm}} service. The second column is the name of the action in the command line interface (CLI). The third column is the name of the action in the application programming interface (API)."}
{: #accessreftabtableedit}
{: tab-title="Editor"}
{: tab-group="access-ref-iam-platform"}

Action	CLI command	API call
Refresh the Kubernetes master.	`ibmcloud ks cluster master refresh`	`PUT /v1/clusters/{idOrName}/masters`
Update a cluster.	`ibmcloud ks cluster master update`	`PUT /v1/clusters/{idOrName}`
Make an {{site.data.keyword.cloud_notm}} IAM service ID for the cluster, create a policy for the service ID that assigns the Reader service access role in {{site.data.keyword.registrylong_notm}}, and then create an API key for the service ID.	`ibmcloud ks cluster pull-secret apply`	-
Add a subnet to a cluster.	`ibmcloud ks cluster subnet add`	`PUT /v1/clusters/{idOrName}/subnets/{subnetId}`
Create a subnet and add it to a cluster.	`ibmcloud ks cluster subnet create`	`POST /v1/clusters/{idOrName}/vlans/{vlanId}`
Detach a subnet from a cluster.	`ibmcloud ks cluster subnet detach`	`DELETE /v1/clusters/{idOrName}/subnets/{subnetId}`
Update the configuration of load balancers that expose Ingress ALBs in your cluster.	`ibmcloud ks ingress lb proxy-protocol disable` and `ibmcloud ks ingress lb proxy-protocol enable`	`PATCH /ingress/v2/load-balancer/configuration`
Add worker nodes.	`ibmcloud ks worker add (deprecated)`	`POST /v1/clusters/{idOrName}/workers`
Create a worker pool in a classic cluster.	`ibmcloud ks worker-pool create classic`	`POST /v1/clusters/{idOrName}/workerpools`
Rebalance a worker pool.	`ibmcloud ks worker-pool rebalance`	`PATCH /v1/clusters/{idOrName}/workerpools/{poolidOrName}`
Resize a worker pool.	`ibmcloud ks worker-pool resize`	`PATCH /v1/clusters/{idOrName}/workerpools/{poolidOrName}`
Set labels on a worker pool.	`ibmcloud ks worker-pool label set`	v1 API: `PATCH /v1/clusters/{idOrName}/workerpools/{poolidOrName}` v2 API: `POST /v2/setWorkerPoolLabels`
Remove labels from a worker pool.	`ibmcloud ks worker-pool label rm`	v1 API: `PATCH /v1/clusters/{idOrName}/workerpools/{poolidOrName}` v2 API: `POST /v2/setWorkerPoolLabels`
Delete a worker pool.	`ibmcloud ks worker-pool rm`	`DELETE /v1/clusters/{idOrName}/workerpools/{poolidOrName}`
Reboot a worker node.	`ibmcloud ks worker reboot`	`PUT /v1/clusters/{idOrName}/workers/{workerId}`
Reload a worker node.	`ibmcloud ks worker reload`	`PUT /v1/clusters/{idOrName}/workers/{workerId}`
Replace a worker node.	`ibmcloud ks worker replace`	Classic: `POST /v2/replaceWorker` VPC: `POST /v2/vpc/replaceWorker`
Remove a worker node.	`ibmcloud ks worker rm`	`DELETE /v1/clusters/{idOrName}/workers/{workerId}`
Update a worker node.	`ibmcloud ks worker update`	`PUT /v1/clusters/{idOrName}/workers/{workerId}`
Add a zone to a worker pool.	`ibmcloud ks zone add classic`	`POST /v1/clusters/{idOrName}/workerpools/{poolidOrName}/zones`
Update the network configuration for a given zone in a worker pool.	`ibmcloud ks zone network-set`	`PATCH /v1/clusters/{idOrName}/workerpools/{poolidOrName}/zones/{zoneid}`
Remove a zone a from worker pool.	`ibmcloud ks zone rm`	`DELETE /v1/clusters/{idOrName}/workerpools/{poolidOrName}/zones/{zoneid}`
{: class="simple-tab-table"}
{: caption="Overview of permissions required for CLI commands and API calls in {{site.data.keyword.containerlong_notm}}." caption-side="top"}
{: summary="The rows are read from left to right. The first column is the action that you can take with {{site.data.keyword.containerlong_notm}} service. The second column is the name of the action in the command line interface (CLI). The third column is the name of the action in the application programming interface (API)."}
{: #accessreftabtableoper}
{: tab-title="Operator"}
{: tab-group="access-ref-iam-platform"}

Action	CLI command	API call
Create a secret for a certificate from your {{site.data.keyword.cloudcerts_long_notm}} instance to your cluster.	`ibmcloud ks ingress secret create`	`POST /ingress/v2/secret/createSecret`
View details for an Ingress secret in a cluster.	`ibmcloud ks ingress secret get`	`GET /ingress/v2/secret/getSecret`
List all Ingress secrets in a cluster.	`ibmcloud ks ingress secret ls`	`GET /ingress/v2/secret/getSecrets`
Remove an Ingress secret from a cluster.	`ibmcloud ks ingress secret rm`	`POST /ingress/v2/secret/deleteSecret`
Update an Ingress secret in your cluster.	`ibmcloud ks ingress secret update`	`POST /ingress/v2/secret/updateSecret`
Clean up Ingress resources and configmaps, such as after an Ingress migration.	`ibmcloud ks ingress alb migrate clean`	`POST /v2/alb/cleanupMigration`
Start a migration of Ingress resources and configmaps.	`ibmcloud ks ingress alb migrate start`	`POST /v2/alb/startMigration`
Set the API key for the {{site.data.keyword.cloud_notm}} account to access the linked IBM Cloud infrastructure portfolio.	`ibmcloud ks api-key reset`	`POST /v1/keys`
Disable a managed add-on, such the Kubernetes web terminal, in a cluster.	`ibmcloud ks cluster addon disable`	`PATCH /v1/clusters/{idOrName}/addons`
Enable a managed add-on, such the Kubernetes web terminal, in a cluster.	`ibmcloud ks cluster addon enable`	`PATCH /v1/clusters/{idOrName}/addons`
List managed add-ons, such as the Kubernetes web terminal, that are enabled in a cluster.	`ibmcloud ks cluster addon ls`	`GET /v1/clusters/{idOrName}/addons`
Create a free or standard cluster on classic infrastructure. Note: The Administrator platform access role for {{site.data.keyword.registrylong_notm}} and the Super User infrastructure role are also required.	`ibmcloud ks cluster create classic`	`POST /v1/clusters`
Enable the private cloud service endpoint for the cluster master.	`ibmcloud ks cluster master private-service-endpoint enable`	`POST /v2/enablePrivateServiceEndpoint`
Disable the public cloud service endpoint for the cluster master.	`ibmcloud ks master public-service-endpoint disable`	`POST /v2/disablePublicServiceEndpoint`
Enable the public cloud service endpoint for the cluster master.	`ibmcloud ks master public-service-endpoint enable`	`POST /v2/enablePublicServiceEndpoint`
Delete a cluster.	`ibmcloud ks cluster rm`	`DELETE /v1/clusters/{idOrName}`
Set infrastructure credentials for the {{site.data.keyword.cloud_notm}} account to access a different classic infrastructure portfolio.	`ibmcloud ks credential set`	`POST /v1/credentials`
Remove infrastructure credentials for the {{site.data.keyword.cloud_notm}} account to access a different classic infrastructure portfolio.	`ibmcloud ks credential unset`	`DELETE /v1/credentials`
Encrypt Kubernetes secrets by using a key management service (KMS) provider.	`ibmcloud ks kms enable`	`POST /v2/enableKMS`
Disable automatic updates for the Fluentd cluster add-on.	`ibmcloud ks logging autoupdate disable`	`PUT /v1/logging/{idOrName}/updatepolicy`
Enable automatic updates for the Fluentd cluster add-on.	`ibmcloud ks logging autoupdate enable`	`PUT /v1/logging/{idOrName}/updatepolicy`
Collect a snapshot of API server logs in an {{site.data.keyword.cos_full_notm}} bucket.	`ibmcloud ks logging collect`	`POST /v1/log-collector/{idOrName}/masterlogs`
See the status of the API server logs snapshot request.	`ibmcloud ks logging collect-status`	`GET /v1/log-collector/{idOrName}/masterlogs`
{: class="simple-tab-table"}
{: caption="Overview of permissions required for CLI commands and API calls in {{site.data.keyword.containerlong_notm}}." caption-side="top"}
{: summary="The rows are read from left to right. The first column is the action that you can take with {{site.data.keyword.containerlong_notm}} service. The second column is the name of the action in the command line interface (CLI). The third column is the name of the action in the application programming interface (API)."}
{: #accessreftabtableadmin}
{: tab-title="Administrator"}
{: tab-group="access-ref-iam-platform"}

{{site.data.keyword.cloud_notm}} IAM service access roles

{: #service}

Every user who is assigned an {{site.data.keyword.cloud_notm}} IAM service access role is also automatically assigned a corresponding Kubernetes role-based access control (RBAC) role in a specific namespace. To assign service access roles, see Granting users access to your cluster through {{site.data.keyword.cloud_notm}} IAM. Do not assign {{site.data.keyword.cloud_notm}} IAM platform access roles at the same time as a service access role. You must assign platform and service access roles separately. {: shortdesc}

Looking for which Kubernetes actions each service access role grants through RBAC? See Kubernetes resource permissions per RBAC role. To learn more about RBAC roles, see Assigning RBAC permissions and Extending existing permissions by aggregating cluster roles. For the username details, see {{site.data.keyword.cloud_notm}} IAM issuer details for RBAC users. {: tip}

The following table shows the Kubernetes resource permissions that are granted by each service access role and its corresponding RBAC role.

Kubernetes resource permissions by service and corresponding RBAC roles

service access role Corresponding RBAC role, binding, and scope Kubernetes resource permissions

Reader role

When scoped to one namespace: view cluster role applied by the ibm-view role binding in that namespace

When scoped to all namespaces: view cluster role applied by the ibm-view role binding in each namespace of the cluster. You can also view the cluster in the {{site.data.keyword.cloud_notm}} console and CLI.

Read access to resources in a namespace
No read access to roles and role bindings or to Kubernetes secrets
Access the Kubernetes dashboard to view resources in a namespace

Writer role

When scoped to one namespace: edit cluster role applied by the ibm-edit role binding in that namespace

When scoped to all namespaces: edit cluster role applied by the ibm-edit role binding in each namespace of the cluster

Read/write access to resources in a namespace
No read/write access to roles and role bindings
Access the Kubernetes dashboard to view resources in a namespace

Manager role

When scoped to one namespace: admin cluster role applied by the ibm-operate role binding in that namespace

When scoped to all namespaces: cluster-admin cluster role applied by the ibm-admin cluster role binding that applies to all namespaces

When scoped to one namespace:

Read/write access to all resources in a namespace but not to resource quota or the namespace itself
Create RBAC roles and role bindings in a namespace
Access the Kubernetes dashboard to view all resources in a namespace

When scoped to all namespaces:

Read/write access to all resources in every namespace
Create RBAC roles and role bindings in a namespace or cluster roles and cluster role bindings in all namespaces
Access the Kubernetes dashboard
Create an Ingress resource that makes apps publicly available
Review cluster metrics such as with the kubectl top pods, kubectl top nodes, or kubectl get nodes commands
[Create and update privileged and unprivileged (restricted) pods](/docs/containers?topic=containers-psp#customize_psp)

Kubernetes resource permissions per RBAC role

{: #rbac_ref}

Every user who is assigned an {{site.data.keyword.cloud_notm}} IAM service access role is also automatically assigned a corresponding, predefined Kubernetes role-based access control (RBAC) role. If you plan to manage your own custom Kubernetes RBAC roles, see Creating custom RBAC permissions for users, groups, or service accounts. For the username details, see {{site.data.keyword.cloud_notm}} IAM issuer details for RBAC users. {: tip} {: shortdesc}

Wondering if you have the correct permissions to run a certain kubectl command on a resource in a namespace? Try the kubectl auth can-i command{: external}. {: tip}

The following table shows the permissions that are granted by each RBAC role to individual Kubernetes resources. Permissions are shown as which verbs a user with that role can complete against the resource, such as "get", "list", "describe", "create", or "delete".

Kubernetes resource permissions granted by each predefined RBAC role

{{site.data.keyword.cloud_notm}} IAM issuer details for RBAC users

{: #iam_issuer_users}

Users with a service access role to {{site.data.keyword.containerlong_notm}} in IAM are given corresponding user roles in RBAC. The RBAC user details include a unique issuer ID, subject identifier claim, and Kubernetes username. These details vary with the Kubernetes version of the cluster. When you update a cluster from a previous version, the details are automatically updated. RBAC usernames are prefixed by IAM#. For more information about how OpenID authentication works, see the Kubernetes documentation{: external}. {: shortdesc}

You might use this information if you build automation tooling within the cluster that relies on the user details to authenticate with the Kubernetes API server.

Version	Issuer	Claim	Casing`*`
1.18 or later	`https://iam.cloud.ibm.com/identity`	`realmed_sub_<account_ID>`	lowercase
1.17	`https://iam.cloud.ibm.com/identity`	`sub_<account_ID>`	lowercase
1.10 - 1.16	`https://iam.bluemix.net/identity`	`sub_<account_ID>`	lowercase
1.9 or earlier	`https://iam.ng.bluemix.net/kubernetes`	`sub`	camel case
{: summary="The rows are read from left to right. The first column is the Kubernetes version of the cluster. The second column is the {{site.data.keyword.cloud_notm}} IAM Issuer ID. The third column is the subject identifier claim. The fourth column is the casing style of the username."}
{: caption="{{site.data.keyword.cloud_notm}} IAM issuer details for RBAC users" caption-side="top"}

*: An example of lowercase is user.name@company.com. An example of camel case is User.Name@company.com. {: note}

Cloud Foundry roles

{: #cloud-foundry}

Cloud Foundry roles grant access to organizations and spaces within the account. To see the list of Cloud Foundry-based services in {{site.data.keyword.cloud_notm}}, run ibmcloud service list. To learn more, see all available org and space roles or the steps for managing Cloud Foundry access in the {{site.data.keyword.cloud_notm}} IAM documentation. {: shortdesc}

The following table shows the Cloud Foundry roles that are required for cluster action permissions.

Cluster management permissions by Cloud Foundry role

Cloud Foundry role	Cluster management permissions
Space role: Manager	Manage user access to an {{site.data.keyword.cloud_notm}} space
Space role: Developer	Create {{site.data.keyword.cloud_notm}} service instances Bind {{site.data.keyword.cloud_notm}} service instances to clusters View logs from a cluster's log forwarding configuration at the space level

Classic infrastructure roles

{: #infra}

A user with the Super User infrastructure access role sets the API key for a region and resource group so that infrastructure actions can be performed (or more rarely, manually sets different account credentials). Then, the infrastructure actions that other users in the account can perform is authorized through {{site.data.keyword.cloud_notm}} IAM platform access roles. You do not need to edit the other users' classic infrastructure permissions. Use the following table to customize users' classic infrastructure permissions only when you can't assign Super User to the user who sets the API key. For instructions to assign permissions, see Customizing infrastructure permissions. {: shortdesc}

Classic infrastructure permissions apply only to classic clusters. For VPC clusters, see Granting user permissions for VPC resources. {: note}

Need to check that the API key or manually-set credentials have the required and suggested infrastructure permissions? Use the ibmcloud ks infra-permissions get command. {: tip}

The following table shows the classic infrastructure permissions that the credentials for a region and resource group can have for creating clusters and other common use cases. The description includes how you can assign the permission in the {{site.data.keyword.cloud_notm}} IAM Classic infrastructure console or the ibmcloud sl command. For more information, see the instructions for the console or CLI.

Create clusters: Classic infrastructure permissions that you must have to create a cluster. When you run ibmcloud ks infra-permissions get, these permissions are listed as Required. For other service permissions that you must have in {{site.data.keyword.cloud_notm}} IAM to create clusters, see Permissions to create a cluster.
Other common use cases: Classic infrastructure permissions that you must have for other common scenarios. Even if you have permission to create a cluster, some limitations might apply. For example, you might not be able to create or work with a cluster with bare metal worker nodes or a public IP address. After cluster creation, further steps to add networking or storage resources might fail. When you run ibmcloud ks infra-permissions get, these permissions are listed as Suggested.

Permission	Description	IAM Assign Policy Console	CLI
IPMI Remote Management	Manage worker nodes.	Classic infrastructure > Permissions > Devices	`ibmcloud sl user permission-edit <user_id> --permission REMOTE_MANAGEMENT --enable true`
Add Server	Add worker nodes. Note: For worker nodes that have public IP addresses, you also need the Add Compute with Public Network Port permission in the Network category.	Add Server: Classic infrastructure > Permissions > Account Add Compute with Public Network Port: Classic infrastructure > Permissions > Network	Add Server: `ibmcloud sl user permission-edit <user_id> --permission SERVER_ADD --enable true` Add Compute with Public Network Port: `ibmcloud sl user permission-edit <user_id> --permission PUBLIC_NETWORK_COMPUTE --enable true`
Cancel Server	Delete worker nodes.	Classic infrastructure > Permissions > Account	`ibmcloud sl user permission-edit <user_id> --permission SERVER_CANCEL --enable true`
OS Reloads and Rescue Kernel	Update, reboot, and reload worker nodes.	Classic infrastructure > Permissions > Devices	`ibmcloud sl user permission-edit <user_id> --permission SERVER_RELOAD --enable true`
View Virtual Server Details	Required if the cluster has VM worker nodes. List and get details of VM worker nodes.	Classic infrastructure > Permissions > Devices	`ibmcloud sl user permission-edit <user_id> --permission VIRTUAL_GUEST_VIEW --enable true`
View Hardware Details	Required if the cluster has bare metal worker nodes. List and get details of bare metal worker nodes.	Classic infrastructure > Permissions > Devices	`ibmcloud sl user permission-edit <user_id> --permission HARDWARE_VIEW --enable true`
Add Support Case	As part of the cluster creation automation, support cases are opened to provision the cluster infrastructure.	-	`ibmcloud sl user permission-edit <user_id> --permission TICKET_ADD --enable true`
Edit Support Case	As part of the cluster creation automation, support cases are updated to provision the cluster infrastructure.	-	`ibmcloud sl user permission-edit <user_id> --permission TICKET_EDIT --enable true`
View Support Case	As part of the cluster creation automation, support cases are used to provision the cluster infrastructure.	-	`ibmcloud sl user permission-edit <user_id> --permission TICKET_VIEW --enable true`
{: class="simple-tab-table"}
{: caption="Required classic infrastructure permissions" caption-side="top"}
{: #classic-permissions-required}
{: tab-title="Create clusters"}
{: tab-group="Classic infrastructure permissions"}

Permission	Description	IAM Assign Policy Console	CLI
Access All Virtual	Designate access to all VM worker nodes. Without this permission, a user who creates one cluster might not be able to view the VM worker nodes of another cluster even if the user has IAM access to both clusters.	Classic infrastructure > Devices > Check All virtual servers and Auto virtual server access	`ibmcloud sl user permission-edit <user_id> --permission ACCESS_ALL_GUEST --enable true`
Access All Hardware	Designate access to all bare metal worker nodes. Without this permission, a user who creates one cluster might not be able to view the bare metal worker nodes of another cluster even if the user has IAM access to both clusters.	Classic infrastructure > Devices > Check All bare metal servers and Auto bare metal server access	`ibmcloud sl user permission-edit <user_id> --permission ACCESS_ALL_HARDWARE --enable true`
Add Compute with Public Network Port	Let worker nodes have a port that can be accessible on the public network.	Classic infrastructure > Permissions > Network	`ibmcloud sl user permission-edit <user_id> --permission PUBLIC_NETWORK_COMPUTE --enable true`
Manage DNS	Set up public load balancer or Ingress networking to expose apps.	Classic infrastructure > Permissions > Services	`ibmcloud sl user permission-edit <user_id> --permission DNS_MANAGE --enable true`
Edit Hostname/Domain	Set up public load balancer or Ingress networking to expose apps.	Classic infrastructure > Permissions > Devices	`ibmcloud sl user permission-edit <user_id> --permission HOSTNAME_EDIT --enable true`
Add IP Addresses	Add IP addresses to public or private subnets that are used for cluster load balancing.	Classic infrastructure > Permissions > Network	`ibmcloud sl user permission-edit <user_id> --permission IP_ADD --enable true`
Manage Network Subnet Routes	Manage public and private VLANs and subnets that are used for cluster load balancing.	Classic infrastructure > Permissions > Network	`ibmcloud sl user permission-edit <user_id> --permission NETWORK_ROUTE_MANAGE --enable true`
Manage Port Control	Manage ports that are used for app load balancing.	Classic infrastructure > Permissions > Devices	`ibmcloud sl user permission-edit <user_id> --permission PORT_CONTROL --enable true`
Manage Certificates (SSL)	Set up certificates that are used for cluster load balancing.	Classic infrastructure > Permissions > Services	`ibmcloud sl user permission-edit <user_id> --permission SECURITY_CERTIFICATE_MANAGE --enable true`
View Certificates (SSL)	Set up certificates that are used for cluster load balancing.	Classic infrastructure > Permissions > Services	`ibmcloud sl user permission-edit <user_id> --permission SECURITY_CERTIFICATE_VIEW --enable true`
Add/Upgrade Storage (Storage Layer)	Create {{site.data.keyword.cloud_notm}} File or Block storage instances to attach as volumes to your apps for persistent storage of data.	Classic infrastructure > Permissions > Account	`ibmcloud sl user permission-edit <user_id> --permission ADD_SERVICE_STORAGE --enable true`
Storage Manage	Manage {{site.data.keyword.cloud_notm}} File or Block storage instances that are attached as volumes to your apps for persistent storage of data.	Classic infrastructure > Permissions > Services	`ibmcloud sl user permission-edit <user_id> --permission NAS_MANAGE --enable true`
{: class="simple-tab-table"}
{: caption="Suggested classic infrastructure permissions" caption-side="top"}
{: #classic-permissions-suggested}
{: tab-title="Other common use cases"}
{: tab-group="Classic infrastructure permissions"}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

cs_access_reference.md

cs_access_reference.md

User access permissions

Permissions to create a cluster

{{site.data.keyword.cloud_notm}} IAM platform access roles

{{site.data.keyword.cloud_notm}} IAM service access roles

Kubernetes resource permissions per RBAC role

{{site.data.keyword.cloud_notm}} IAM issuer details for RBAC users

Cloud Foundry roles

Classic infrastructure roles

Kubernetes resource	`view`	`edit`	`admin` and `cluster-admin`
`bindings`	`get`, `list`, `watch`	`get`, `list`, `watch`	`get`, `list`, `watch` cluster-admin only: `create`, `delete`, `update`
`configmaps`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`cronjobs.batch`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`daemonsets.apps`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`daemonsets.extensions`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`deployments.apps`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`deployments.apps/rollback`	-	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`deployments.apps/scale`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`deployments.extensions`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`deployments.extensions/rollback`	-	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`deployments.extensions/scale`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`endpoints`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`events`	`get`, `list`, `watch`	`get`, `list`, `watch`	`get`, `list`, `watch`
`horizontalpodautoscalers.autoscaling`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`ingresses.extensions`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`jobs.batch`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`limitranges`	`get`, `list`, `watch`	`get`, `list`, `watch`	`get`, `list`, `watch`
`localsubjectaccessreviews`	-	-	`create`
`namespaces`	`get`, `list`, `watch`	`get`, `list`, `watch`	`get`, `list`, `watch` cluster-admin only: `create`, `delete`
`namespaces/status`	`get`, `list`, `watch`	`get`, `list`, `watch`	`get`, `list`, `watch`
`networkpolicies`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`networkpolicies.extensions`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`node`	None	None	`admin` scoped to a namespace: None `cluster-admin` for all namespaces: All verbs
`persistentvolume`	None	None	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`persistentvolumeclaims`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`poddisruptionbudgets.policy`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`pods`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `top`, `patch`, `update`, `watch`
`pods/attach`	-	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`pods/exec`	-	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`pods/log`	`get`, `list`, `watch`	`get`, `list`, `watch`	`get`, `list`, `watch`
`pods/portforward`	-	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`pods/proxy`	-	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`pods/status`	`get`, `list`, `watch`	`get`, `list`, `watch`	`get`, `list`, `watch`
`replicasets.apps`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`replicasets.apps/scale`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`replicasets.extensions`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`replicasets.extensions/scale`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`replicationcontrollers`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`replicationcontrollers/scale`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`replicationcontrollers/status`	`get`, `list`, `watch`	`get`, `list`, `watch`	`get`, `list`, `watch`
`replicationcontrollers.extensions/scale`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`resourcequotas`	`get`, `list`, `watch`	`get`, `list`, `watch`	`get`, `list`, `watch`
`resourcequotas/status`	`get`, `list`, `watch`	`get`, `list`, `watch`	`get`, `list`, `watch`
`rolebindings`	-	-	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`roles`	-	-	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`secrets`	-	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`serviceaccounts`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`, `impersonate`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`, `impersonate`
`services`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`services/proxy`	-	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`statefulsets.apps`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`statefulsets.apps/scale`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`

Files

cs_access_reference.md

Latest commit

History

cs_access_reference.md

File metadata and controls

User access permissions

Permissions to create a cluster

{{site.data.keyword.cloud_notm}} IAM platform access roles

{{site.data.keyword.cloud_notm}} IAM service access roles

Kubernetes resource permissions per RBAC role

{{site.data.keyword.cloud_notm}} IAM issuer details for RBAC users

Cloud Foundry roles

Classic infrastructure roles