Kubernetes service accounts and permissions

This document describes the service accounts used in Mission Control and their associated permissions. Each service account is granted the minimum permissions required to perform its specific tasks.

Service accounts

The following sections describe the service accounts used in Mission Control and their associated permissions.

Agent

Name: mission-control-agent

Namespace: mission-control

Purpose: Collects host-level metrics and logs

Cluster Roles: mission-control-agent

Aggregator

Name: mission-control-aggregator

Namespace: mission-control

Purpose: Aggregates metrics and logs from all deployed and managed resources

Cass operator

Name: mission-control-cass-operator

Namespace: mission-control

Purpose: Handles the lifecycle of all Apache Cassandra®, DataStax Enterprise (DSE), and Hyper-Converged Database (HCD) logical datacenters

Cluster Roles: mission-control-cass-operator

Roles: mission-control-cass-operator-leader

CRD upgrader

Name: mission-control-crd-upgrader

Namespace: mission-control

Purpose: Handles the upgrade of Mission Control Custom Resource Definitions (CRDs)

Cluster Roles: mission-control-crd-upgrader

Dex

Name: mission-control-dex

Namespace: mission-control

Purpose: Handles the routing of authentication requests to the appropriate identity provider

Cluster Roles: mission-control-dex

Roles: mission-control-dex

K8ssandra operator

Name: mission-control-k8ssandra-operator

Namespace: mission-control

Purpose: Handles the lifecycle of all K8ssandra resources including cluster definitions, Reaper, and Medusa components

Cluster Roles: mission-control-k8ssandra-operator

Roles: mission-control-k8ssandra-operator-leader-election-role

Kube state metrics

Name: mission-control-kube-state-metrics

Namespace: mission-control

Purpose: Collects metrics from the Kubernetes API server and Kubelet

Cluster Roles: mission-control-kube-state-metrics

Loki

Name: loki

Namespace: mission-control

Purpose: Stores and indexes log data

Cluster Roles: mission-control-loki-clusterrole

Mimir

Name: mission-control-mimir

Namespace: mission-control

Purpose: Stores and indexes metrics data

Minio sa

Name: minio-sa

Namespace: mission-control

Purpose: Object storage provider

Mission Control

Name: mission-control

Namespace: mission-control

Purpose: Core platform management and orchestration of all Mission Control components

Cluster Roles: mission-control-manager-role

Roles: mission-control-leader-election-role

Replicated

Name: replicated

Namespace: mission-control

Purpose: Installation management and reporting

Roles: replicated-role

Cluster roles

The following sections describe the permissions associated with each cluster role.

Agent cluster role

The agent cluster role has the following permissions:

Agent cluster role permissions
API groups	Resources	Verbs
core	`namespaces`, `nodes`, `pods`	`list`, `watch`

Cass operator cluster role

The Cass operator cluster role has the following permissions:

Cass operator cluster role permissions
API groups	Resources	Verbs
core	`configmaps`, `endpoints`, `events`, `persistentvolumeclaims`, `pods`, `secrets`, `services`	`create`, `delete`, `get`, `list`, `patch`, `update`, `watch`
core	`namespaces`	`get`
core	`persistentvolumes`	`get`, `list`, `watch`
storage.k8s.io	`storageclasses`	`get`, `list`, `watch`
apps	`daemonsets`, `deployments`, `replicasets`, `statefulsets`	`create`, `delete`, `get`, `list`, `patch`, `update`, `watch`
apps	`deployments/finalizers`	`update`
`cassandra.datastax.com`	`cassandradatacenters`	`create`, `delete`, `get`, `list`, `patch`, `update`, `watch`
`cassandra.datastax.com`	`cassandradatacenters/finalizers`	`delete`, `update`
`cassandra.datastax.com`	`cassandradatacenters/status`	`get`, `patch`, `update`
`control.k8ssandra.io`	`cassandratasks`	`create`, `delete`, `get`, `list`, `patch`, `update`, `watch`
`control.k8ssandra.io`	`cassandratasks/finalizers`	`update`
`control.k8ssandra.io`	`cassandratasks/status`	`get`, `patch`, `update`
policy	`poddisruptionbudgets`	`create`, `delete`, `get`, `list`, `patch`, `update`, `watch`

CRD upgrader cluster role

The CRD upgrader cluster role has the following permissions:

CRD upgrader cluster role permissions
API groups	Resources	Verbs
`apiextensions.k8s.io`	`customresourcedefinitions`	`create`, `get`, `watch`, `list`, `update`, `patch`

Dex cluster role

The Dex cluster role has the following permissions:

Dex cluster role permissions
API groups	Resources	Verbs
`apiextensions.k8s.io`	`customresourcedefinitions`	`list`, `create`

K8ssandra operator cluster role

The K8ssandra operator cluster role has the following permissions:

K8ssandra operator cluster role permissions
API groups	Resources	Verbs
`core`	`configmaps`, `endpoints`, `events`, `namespaces`, `nodes`, `pods`, `secrets`, `secrets/finalizer`, `services`	`create`, `delete`, `get`, `list`, `patch`, `update`, `watch`
`apps`	`deployments`	`create`, `delete`, `get`, `list`, `patch`, `update`, `watch`
`batch`	`cronjobs`	`create`, `delete`, `get`, `list`, `patch`, `update`, `watch`
`networking.k8s.io`	`networkpolicies`	`create`, `delete`, `get`, `list`, `patch`, `update`, `watch`
`storage.k8s.io`	`storageclasses`	`get`, `list`
`cassandra.datastax.com`	`cassandradatacenters`	`create`, `delete`, `get`, `list`, `patch`, `update`, `watch`
`cert-manager.io`	`certificates`	`create`, `delete`, `get`, `list`, `patch`, `update`, `watch`
`cert-manager.io`	`issuers`	`create`, `delete`, `get`, `list`, `patch`, `update`, `watch`
`config.k8ssandra.io`	`clientconfigs`	`get`, `list`, `patch`, `update`, `watch`
`control.k8ssandra.io`	`cassandratasks`	`create`, `delete`, `get`, `list`, `patch`, `update`, `watch`
`control.k8ssandra.io`	`k8ssandratasks`	`create`, `list`
`k8ssandra.io`	`k8ssandraclusters`	`create`, `delete`, `get`, `list`, `patch`, `update`, `watch`
`k8ssandra.io`	`k8ssandraclusters/finalizers`	`update`
`k8ssandra.io`	`k8ssandraclusters/status`	`get`, `patch`, `update`
`medusa.k8ssandra.io`	`medusabackupjobs`	`create`, `get`, `list`
`medusa.k8ssandra.io`	`medusabackups`	`get`, `list`
`medusa.k8ssandra.io`	`medusabackupschedules`	`create`, `delete`, `get`, `list`, `patch`
`medusa.k8ssandra.io`	`medusaconfigurations`	`create`, `delete`, `get`, `list`, `patch`
`medusa.k8ssandra.io`	`medusarestorejobs`	`create`, `delete`, `get`, `list`, `patch`
`medusa.k8ssandra.io`	`medusatasks`	`create`, `delete`, `get`, `list`, `patch`
`missioncontrol.datastax.com`	`missioncontrolclusters`	`create`, `delete`, `get`, `list`, `patch`, `update`, `watch`
`missioncontrol.datastax.com`	`missioncontrolclusters/finalizers`	`update`
`missioncontrol.datastax.com`	`missioncontrolclusters/status`	`get`, `patch`, `update`
`monitoring.coreos.com`	`servicemonitors`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`reaper.k8ssandra.io`	`reapers`	`create`, `delete`, `get`, `list`, `patch`, `update`, `watch`
`replication.k8ssandra.io`	`replicatedsecrets`	`create`, `delete`, `get`, `list`, `patch`, `update`, `watch`
`security.openshift.io`	`securitycontextconstraints`	`use`
`stargate.k8ssandra.io`	`stargates`	`create`, `delete`, `get`, `list`, `patch`, `update`, `watch`

Kube state metrics cluster role

The Kube state metrics cluster role has the following permissions:

Kube state metrics cluster role permissions
API groups	Resources	Verbs
`core`	`configmaps`, `endpoints`, `limitranges`, `namespaces`, `nodes`, `persistentvolumeclaims`, `persistentvolumes`, `pods`, `replicationcontrollers`, `resourcequotas`, `secrets`, `services`	`list`, `watch`
`admissionregistration.k8s.io`	`mutatingwebhookconfigurations`, `validatingwebhookconfigurations`	`list`, `watch`
`autoscaling`	`horizontalpodautoscalers`	`list`, `watch`
`batch`	`cronjobs`, `jobs`	`list`, `watch`
`certificates.k8s.io`	`certificatesigningrequests`	`list`, `watch`
`coordination.k8s.io`	`leases`	`list`, `watch`
`extensions`, `apps`	`daemonsets`, `deployments`, `replicasets`	`list`, `watch`
`extensions`, `networking.k8s.io`	`ingresses`	`list`, `watch`
`networking.k8s.io`	`networkpolicies`	`list`, `watch`
`policy`	`poddisruptionbudgets`	`list`, `watch`
`apps`	`statefulsets`	`list`, `watch`
`storage.k8s.io`	`storageclasses`, `volumeattachments`	`list`, `watch`

Loki cluster role

The Loki cluster role has the following permissions:

Loki cluster role permissions
API groups	Resources	Verbs
`core`	`configmaps`, `secrets`	`get`, `watch`, `list`

Manager cluster role

The mission-control-manager-role is used by the mission-control service account to manage the core platform functionality. This cluster role has the following permissions:

Manager cluster role permissions
API groups	Resources	Verbs
`core`	`configmaps`, `endpoints`, `events`, `namespaces`, `pods`, `secrets`, `secrets/finalizer`, `services`	`create`, `delete`, `get`, `list`, `patch`, `update`, `watch`
`apps`	`deployments`	`create`, `delete`, `get`, `list`, `patch`, `update`, `watch`
`batch`	`cronjobs`	`create`, `delete`, `get`, `list`, `patch`, `update`, `watch`
`networking.k8s.io`	`networkpolicies`	`create`, `delete`, `get`, `list`, `patch`, `update`, `watch`
`storage.k8s.io`	`storageclasses`	`get`, `list`
`cassandra.datastax.com`	`cassandradatacenters`	`create`, `delete`, `get`, `list`, `patch`, `update`, `watch`
`cert-manager.io`	`certificates`	`create`, `delete`, `get`, `list`, `patch`, `update`, `watch`
`cert-manager.io`	`issuers`	`create`, `delete`, `get`, `list`, `patch`, `update`, `watch`
`config.k8ssandra.io`	`clientconfigs`	`get`, `list`, `patch`, `update`, `watch`
`control.k8ssandra.io`	`cassandratasks`	`create`, `delete`, `get`, `list`, `patch`, `update`, `watch`
`control.k8ssandra.io`	`k8ssandratasks`	`create`, `list`
`k8ssandra.io`	`k8ssandraclusters`	`create`, `delete`, `get`, `list`, `patch`, `update`, `watch`
`k8ssandra.io`	`k8ssandraclusters/finalizers`	`update`
`k8ssandra.io`	`k8ssandraclusters/status`	`get`, `patch`, `update`
`medusa.k8ssandra.io`	`medusabackupjobs`	`create`, `get`, `list`
`medusa.k8ssandra.io`	`medusabackups`	`get`, `list`
`medusa.k8ssandra.io`	`medusabackupschedules`	`create`, `delete`, `get`, `list`, `patch`
`medusa.k8ssandra.io`	`medusaconfigurations`	`create`, `delete`, `get`, `list`, `patch`
`medusa.k8ssandra.io`	`medusarestorejobs`	`create`, `delete`, `get`, `list`, `patch`
`medusa.k8ssandra.io`	`medusatasks`	`create`, `delete`, `get`, `list`, `patch`
`missioncontrol.datastax.com`	`missioncontrolclusters`	`create`, `delete`, `get`, `list`, `patch`, `update`, `watch`
`missioncontrol.datastax.com`	`missioncontrolclusters/finalizers`	`update`
`missioncontrol.datastax.com`	`missioncontrolclusters/status`	`get`, `patch`, `update`
`monitoring.coreos.com`	`servicemonitors`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`reaper.k8ssandra.io`	`reapers`	`create`, `delete`, `get`, `list`, `patch`, `update`, `watch`
`replication.k8ssandra.io`	`replicatedsecrets`	`create`, `delete`, `get`, `list`, `patch`, `update`, `watch`
`security.openshift.io`	`securitycontextconstraints`	`use`
`stargate.k8ssandra.io`	`stargates`	`create`, `delete`, `get`, `list`, `patch`, `update`, `watch`

Was this helpful?