Contact Us 1-800-596-4880

RTFCTL Kubernetes Permissions

To successfully run rtfctl commands, you must understand and enable specific role permissions over Kubernetes resources.

The following table lists the permissions that you configure using Kubernetes (K8s) RBACs (role-based access control):

rtfctl Command Namespace API Groups Kubernetes Resources Verbs

apply

rtf

configmaps

create, get, patch, update

pods

deletecollection

<app-namespace>

secrets

get, list, watch

rtfctl-audit

secrets

create, get, patch, update

namespaces

create, get, list, watch

secrets

create, get, patch, update

update

rtf

configmaps, secrets

get

rtfctl-audit

secrets

create, get, patch, update

namespaces

create

wait

rtf

configmaps, secret

get

rtfctl-audit

secrets

create, get, patch, update

apps

daemonsets, deployments

get, list, watch

namespaces

create

install

rtf

configmaps, pods/log

get

pods

get, list, watch

secrets

create, get

serviceaccounts

create

batch

jobs

create, get

rtfctl-audit

secrets

create, get, patch, update

namespaces

create

rbac.authorization.k8s.io

clusterrolebindings, clusterroles

create

backup

rtfctl-audit

secrets

create, get, patch, update

namespaces

create, get, list, watch

configmaps, namespaces, secrets, serviceaccounts, services

get, list, watch

apiextensions.k8s.io

customresourcedefinitions

get

apps

daemonsets, deployments

get, list, watch

batch

cronjobs

get, list, watch

networking.k8s.io

ingresses

get, list, watch

rbac.authorization.k8s.io

clusterrolebindings, clusterroles, rolebindings, roles

get, list, watch

rtf.mulesoft.com

persistencegateways

get, list, watch

scheduling.k8s.io

priorityclasses

get

restore

rtf

apps

daemonsets

create, get, patch, update

batch

cronjobs

create, get, patch, update

rtf.mulesoft.com

persistencegateways

get, list, watch

rtfctl-audit

secrets

create, get, patch, update

configmaps, namespaces, secrets, serviceaccounts, services

create, get, patch, update

apiextensions.k8s.io

customresourcedefinitions

get, patch, update

apps

deployments

create, get, patch, update

networking.k8s.io

ingresses

create, get, patch, update

rbac.authorization.k8s.io

clusterrolebindings, clusterroles

create, get, patch, update

scheduling.k8s.io

priorityclasses

create, get, patch, update

validate

rtf

configmaps

get

pods

deletecollection

secrets

delete, get

batch

jobs

delete

rtf-validate

namespaces

delete, get

pods/log

get

secrets, serviceaccounts

create

batch

jobs

create, get

rtfctl-audit

secrets

create, get, patch, update

namespaces

create

nodes, pods

get, list, watch

authorization.k8s.io

selfsubjectaccessreviews

create

rbac.authorization.k8s.io

clusterrolebindings, clusterroles

create, delete

version

rtf

configmaps, secrets

get

rtfctl-audit

secrets

create, get, patch, update

namespaces

create

delete

<app-namespace>

pods

get, list, watch

secrets

get, list, patch, update, watch

rtf

configmaps, secrets

get

rtfctl-audit

secrets

create, get, patch, update

namespaces

create

describe

<app-namespace>

pods

get, list, watch

rtf

configmaps, secrets

get

rtfctl-audit

secrets

create, get, patch, update

namespaces

create

apps

deployments

get, list, watch

disk

<app-namespace>

pods

get, list, watch

pods/exec

create

rtf

configmaps, secrets

get

rtfctl-audit

secrets

create, get, patch, update

namespaces

create

memory

<app-namespace>

pods

get, list, watch

pods/exec

create

rtf

configmaps, secrets

get

rtfctl-audit

secrets

create, get, patch, update

namespaces

create

package

<app-namespace>

pods

get, list, watch

pods/exec

create

rtf

configmaps, secrets

get

rtfctl-audit

secrets

create, get, patch, update

namespaces

create

restart

<app-namespace>

pods

delete, get, list, watch

rtf

configmaps, secrets

get

rtfctl-audit

secrets

create, get, patch, update

namespaces

create

heapdump

<app-namespace>

pods

get, list, watch

pods/exec

create

rtf

configmaps, secrets

get

rtfctl-audit

secrets

create, get, patch, update

namespaces

create

threaddump

<app-namespace>

secrets

get, list, watch

pods/exec

create

rtf

configmaps, secrets

get

rtfctl-audit

secrets

create, get, patch, update

namespaces

create

get

<app-namespace>

secrets

get, list, watch

rtf

configmaps, secrets

get

rtfctl-audit

secrets

create, get, patch, update

namespaces

create

apps

deployments

get, list, watch

report

rtf

configmaps, limitranges, resourcequotas, secrets, serviceaccounts, services

get, list, watch

endpoints, pods/log

get

apps

daemonsets, deployments, replicasets

get, list, watch

batch

cronjobs

get, list, watch

batch

jobs

create, delete, get, list, watch

networking.k8s.io

ingresses

get, list, watch

rbac.authorization.k8s.io

rolebindings, roles

get, list, watch

rtf.mulesoft.com

persistencegateways, kubernetestemplates

get, list, watch

kube-node-lease

coordination.k8s.io

leases

get

rtfctl-audit

secrets

create, get, patch, update

namespaces

create, get, list, watch

events, nodes, pods

get, list, watch

status

rtf

configmaps, pods/log, secrets

get

pods

create, delete, get, list, watch

batch

jobs

create, delete, get

rtfctl-audit

secrets

create, get, patch, update

namespaces

create

test

rtf

configmaps, pods/log, secrets

get

pods

create, delete, get, list, watch

batch

jobs

create, delete, get

rtfctl-audit

secrets

create, get, patch, update

nodes

get, list, watch

namespaces

create

  • Namespace

    Permissions can be role-based or cluster role-based:

  • Role-based: the namespace can be rtf, <app-namespace>, rtf-validate, or kube-node-lease.

  • Cluster role-based: because it applies to the entire cluster, the namespace field doesn’t exist and is blank in the table.

  • apiGroups

    The API group for the K8s resources. When you create a role, each K8s resource declares its API group or uses the core API group if not specified. Refer to API groups for details.

  • Kubernetes Resource

    Type of Kubernetes resources, for example, pods, services, or secrets to which the permissions apply.

  • Verbs

    Actions that are allowed on the specified Kubernetes resources.