This documentation is for the Latest version of Knative serving, which uses fleets and Anthos Service Mesh. Learn more.

The past version (Cloud Run for Anthos) has been archived but the documentation remains available for existing users.

Available versions

Latest
Archive

Knative serving component permissions

Use this page to understand the RBAC permissions that the components of Knative serving hold to maintain access to the cluster. These permissions are required and enabled by default in Knative serving; do not attempt to disable them.

Components	Namespace	Service Account
`activator`	knative-serving	controller
`autoscaler`	knative-serving	controller
`controller`	knative-serving	controller
`webhook`	knative-serving	controller
`storage-version-migration-serving`	knative-serving	controller
`webhook`	knative-serving	controller
`cloud-run-operator`	cloud-run-system	cloud-run-operator

Note that the cloud-run-operator service account has the same set of permissions as controller. The operator is what deploys all Knative serving components, including custom resource definitions and controllers.

RBAC for Knative serving service accounts

Use the following apiGroup definitions to understand which access control permissions each resource has in Knative serving for both the controller and cloud-run-operator service accounts.

- apiGroups:
  - ""
  resources:
  - pods
  - secrets
  verbs:
  - deletecollection
- apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - get
  - watch
  - list
- apiGroups:
  - ""
  resources:
  - pods
  - namespaces
  - secrets
  - configmaps
  - endpoints
  - services
  - events
  - serviceaccounts
  verbs:
  - get
  - list
  - create
  - update
  - delete
  - patch
  - watch
- apiGroups:
  - ""
  resources:
  - endpoints/restricted
  verbs:
  - create
- apiGroups:
  - ""
  resources:
  - namespaces/finalizers
  verbs:
  - update
- apiGroups:
  - apps
  resources:
  - deployments
  - deployments/finalizers
  verbs:
  - get
  - list
  - create
  - update
  - delete
  - patch
  - watch
- apiGroups:
  - admissionregistration.k8s.io
  resources:
  - mutatingwebhookconfigurations
  - validatingwebhookconfigurations
  verbs:
  - get
  - list
  - create
  - update
  - delete
  - patch
  - watch
- apiGroups:
  - apiextensions.k8s.io
  resources:
  - customresourcedefinitions
  - customresourcedefinitions/status
  verbs:
  - get
  - list
  - create
  - update
  - delete
  - patch
  - watch
- apiGroups:
  - autoscaling
  resources:
  - horizontalpodautoscalers
  verbs:
  - get
  - list
  - create
  - update
  - delete
  - patch
  - watch
- apiGroups:
  - coordination.k8s.io
  resources:
  - leases
  verbs:
  - get
  - list
  - create
  - update
  - delete
  - patch
  - watch
- apiGroups:
  - admissionregistration.k8s.io
  resources:
  - validatingwebhookconfigurations
  verbs:
  - get
  - list
  - create
  - update
  - delete
  - patch
  - watch

The following table lists how the RBAC permissions are used in Knative serving, where:

view includes the verbs: get, list, watch
modify includes the verbs: create, update, delete, patch

Permissions	Reasons
Can view all `secrets`	Webhook needs to read the secret from the `knative-serving` namespace. Domainmapping controller needs to read the certificate secret generated by the auto TLS feature and then copy them to the `gke-system` namespace.
Can modify `pods`	DomainMapping controller needs to create a Pod which is used to serve requests for the fulfilling HTTP01 challenge.
Can modify `secrets`	Domainmapping controller needs to create or update the certificate secret. Webhook needs to read the secret from `knative-serving` namespace.
Can modify `configmaps`	Used in the default URL feature. The controller needs to update the "config-domain" configmap within the "knative-serving" namespace to add the `nip.io` URL.
Can modify `endpoints`	Serverlessservice controller needs to create, update, or delete the endpoints. Route controller needs to create, update, or delete the endpoints.
Can modify `services`	Route controller needs to create, update, or delete a service. Serverless controller needs to create, update, or delete a service. Domainmapping controller needs to create a service for serving HTTP01 challenge requests.
Can modify `events`	Knative serving controller creates and emits events for the resources managed by Knative.
Can modify `serviceaccounts`	Knative serving needs to read a service account indirectly.
Can modify `endpoints/restricted`	Knative serving needs to create endpoints when RestrictedEndpointsAdmission is enabled.
Can modify `deployments`	Revision controller needs to create or update a deployment for the Knative service.
Can modify `mutatingwebhookconfiguration`	Knative webhook adds caBundle to the mutatingwebhookconfigurations owned by Knative.
Can modify `validatingwebhookconfiguration`	Knative webhook adds caBundle to the validatingwebhookconfigurations owned by Knative.
Can modify `customresourcedifinitions customresourcedefinitions/status`	Knative post-install job needs to upgrade Knative related CRDs to v1 version.
Can modify `horizontalpodautoscalers`	Knative supports autoscaling based on HPA.
Can modify `namespace/finalizer`	Knative serving needs to set ownerreference to Knative-serving namespace.