Skip to content
home
2.10.x
Reference

Gloo component permissions

Page as Markdown
Review the default Kubernetes role-based access control (RBAC) permissions of Gloo and Gloo-deployed components.
When you install a Solo product, you deploy several core and addon components, such as the management server, agent, and external auth service. For more information about the components, see Platform architecture.
These components might come with a default set of permissions granted by Kubernetes RBAC cluster roles and roles. Some components that do not need Kubernetes permissions, such as Redis or Clickhouse databases, do not have Kubernetes RBAC resources. Other components, such as the management server, agent, and UI, might have several cluster roles that are used to scope certain permissions on sensitive resources such as secrets to namespaces.
Check the RBAC setup

In Kubernetes RBAC, roles and cluster roles configure a set of permissions, such as to view or modify Kubernetes objects. Role bindings and cluster role bindings bind these permissions to a subject in Kubernetes, such as a service account. For more information, see the Kubernetes docs. Most Gloo components have their own Kubernetes service accounts, roles or cluster roles, and role bindings or cluster role bindings.
To check the RBAC setup for each component, you can run the following commands. Alternatively, you can check the permissions tables for each component in Review Gloo permissions.
  1. Get the Kubernetes RBAC resources for the Gloo component that you want to check.
    kubectl get clusterroles,clusterrolebindings,roles,rolebindings,serviceaccounts -A -l app=gloo-mesh-mgmt-server
    kubectl get clusterroles,clusterrolebindings,roles,rolebindings,serviceaccounts -A -l app=gloo-mesh-agent
    kubectl get clusterroles,clusterrolebindings,roles,rolebindings,serviceaccounts -A -l app=gloo-mesh-ui
    kubectl get clusterroles,clusterrolebindings,roles,rolebindings,serviceaccounts -A -l app=prometheus
    kubectl get clusterroles,clusterrolebindings,roles,rolebindings,serviceaccounts -A -l app=ext-auth-service
    kubectl get clusterroles,clusterrolebindings,roles,rolebindings,serviceaccounts -A -l app=rate-limiter
    kubectl get clusterroles,clusterrolebindings,roles,rolebindings,serviceaccounts -A -l app=gloo-mesh-portal-server
    For optional components that are installed by Gloo via Helm, such as the OpenTelemetry (OTel) gateways and collectors.
    kubectl get clusterroles,clusterrolebindings,roles,rolebindings,serviceaccounts -A -l app.kubernetes.io/name=telemetryCollector
    For the Istio operator used by Gloo’s Istio Lifecycle Manager.
    kubectl get clusterroles,clusterrolebindings,roles,rolebindings,serviceaccounts -A -l gloo.solo.io/parent_name=gloo-platform
    For instances installed by Gloo’s Istio Lifecycle Manager, such as istiod and the Istio gateway controller.
    kubectl get clusterroles,clusterrolebindings,roles,rolebindings,serviceaccounts -A -l install.operator.istio.io/owning-resource=gloo-platform
    For the Istio ingress gateway.
    kubectl get clusterroles,clusterrolebindings,roles,rolebindings,serviceaccounts -A -l install.operator.istio.io/owning-resource=istio-ingressgateway-1-18-2
  2. Check the role binding or cluster role binding for the component. Make sure that the role or cluster role in the Role section and the service account in the Subjects section match the names for the Gloo component in the output from the previous step.
    kubectl describe clusterrolebinding gloo-mesh-mgmt-server-gloo-platform
    Example output: The cluster role binding grants the gloo-mesh-mgmt-server service account access in the gloo-mesh namespace the gloo-mesh-mgmt-server-gloo-platform cluster role.
    Role:
    Kind:  ClusterRole
    Name:  gloo-mesh-mgmt-server-gloo-platform
Subjects:
    Kind            Name                   Namespace
    ----            ----                   ---------
    ServiceAccount  gloo-mesh-mgmt-server  gloo-mesh
  3. Get the details of a cluster role or role. Check the PolicyRule in each role or cluster role to review specific permissions.
    kubectl describe role -n gloo-mesh gloo-mesh-mgmt-server-gloo-mesh-gloo-mesh-namespaced
    Example output: The roles grant the Gloo management server access to Kubernetes secrets. Because the roles that you described are scoped to the gloo-mesh namespace, the management server can access secrets in the those namespaces only.
    PolicyRule:
  Resources       Non-Resource URLs  Resource Names  Verbs
  ---------       -----------------  --------------  -----
  secrets         []                 []              [*]
  secrets/status  []                 []              [get, update]
    kubectl describe clusterrole gloo-mesh-mgmt-server-gloo-mesh
    Example output: The default Kubernetes RBAC for the management server normally includes access to secrets. However, in this example, you restricted access to only the gloo-mesh namespace through roles and role bindings. Therefore, the cluster role no longer has access to secrets.
    PolicyRule:
  Resources                                                                 Non-Resource URLs  Resource Names  Verbs
  ---------                                                                 -----------------  --------------  -----
  configmaps                                                                []                 []              [*]
  namespaces                                                                []                 []              [*]
  pods                                                                      []                 []              [*]
  serviceaccounts                                                           []                 []              [*]
  services                                                                  []                 []              [*]
  mutatingwebhookconfigurations.admissionregistration.k8s.io                []                 []              [*]
  validatingwebhookconfigurations.admissionregistration.k8s.io              []                 []              [*]
  apidocs.apimanagement.gloo.solo.io                                        []                 []              [*]
  deployments.apps                                                          []                 []              [*]
  ciliumnetworkpolicies.cilium.io                                           []                 []              [*]
  leases.coordination.k8s.io                                                []                 []              [*]
  authconfigs.extauth.solo.io                                               []                 []              [*]
  gateways.gateway.networking.k8s.io                                        []                 []              [*]
  cloudresources.infrastructure.gloo.solo.io                                []                 []              [*]
  istiooperators.install.istio.io                                           []                 []              [*]
  issuedcertificates.internal.gloo.solo.io                                  []                 []              [*]
  portalconfigs.internal.gloo.solo.io                                       []                 []              [*]
  spireregistrationentries.internal.gloo.solo.io                            []                 []              [*]
  xdsconfigs.internal.gloo.solo.io                                          []                 []              [*]
  destinationrules.networking.istio.io                                      []                 []              [*]
  envoyfilters.networking.istio.io                                          []                 []              [*]
  gateways.networking.istio.io                                              []                 []              [*]
  serviceentries.networking.istio.io                                        []                 []              [*]
  sidecars.networking.istio.io                                              []                 []              [*]
  virtualservices.networking.istio.io                                       []                 []              [*]
  workloadentries.networking.istio.io                                       []                 []              [*]
  workloadgroups.networking.istio.io                                        []                 []              [*]
  networkpolicies.networking.k8s.io                                         []                 []              [*]
  ratelimitconfigs.ratelimit.solo.io                                        []                 []              [*]
  clusterrolebindings.rbac.authorization.k8s.io                             []                 []              [*]
  clusterroles.rbac.authorization.k8s.io                                    []                 []              [*]
  authorizationpolicies.security.istio.io                                   []                 []              [*]
  peerauthentications.security.istio.io                                     []                 []              [*]
  nodes                                                                     []                 []              [get list watch]
  dashboards.admin.gloo.solo.io                                             []                 []              [get list watch]
  extauthservers.admin.gloo.solo.io                                         []                 []              [get list watch]
  gatewaylifecyclemanagers.admin.gloo.solo.io                               []                 []              [get list watch]
  istiolifecyclemanagers.admin.gloo.solo.io                                 []                 []              [get list watch]
  kubernetesclusters.admin.gloo.solo.io                                     []                 []              [get list watch]
  ratelimitserverconfigs.admin.gloo.solo.io                                 []                 []              [get list watch]
  ratelimitserversettings.admin.gloo.solo.io                                []                 []              [get list watch]
  roottrustpolicies.admin.gloo.solo.io                                      []                 []              [get list watch]
  waypointlifecyclemanagers.admin.gloo.solo.io                              []                 []              [get list watch]
  workspaces.admin.gloo.solo.io                                             []                 []              [get list watch]
  workspacesettings.admin.gloo.solo.io                                      []                 []              [get list watch]
  customresourcedefinitions.apiextensions.k8s.io                            []                 []              [get list watch]
  apischemadiscoveries.apimanagement.gloo.solo.io                           []                 []              [get list watch]
  graphqlresolvermaps.apimanagement.gloo.solo.io                            []                 []              [get list watch]
  graphqlschemas.apimanagement.gloo.solo.io                                 []                 []              [get list watch]
  graphqlstitchedschemas.apimanagement.gloo.solo.io                         []                 []              [get list watch]
  portalgroups.apimanagement.gloo.solo.io                                   []                 []              [get list watch]
  portals.apimanagement.gloo.solo.io                                        []                 []              [get list watch]
  daemonsets.apps                                                           []                 []              [get list watch]
  statefulsets.apps                                                         []                 []              [get list watch]
  wasmdeploymentpolicies.extensions.policy.gloo.solo.io                     []                 []              [get list watch]
  gatewayclasses.gateway.networking.k8s.io                                  []                 []              [get list watch]
  grpcroutes.gateway.networking.k8s.io                                      []                 []              [get list watch]
  httproutes.gateway.networking.k8s.io                                      []                 []              [get list watch]
  referencegrants.gateway.networking.k8s.io                                 []                 []              [get list watch]
  tcproutes.gateway.networking.k8s.io                                       []                 []              [get list watch]
  tlsroutes.gateway.networking.k8s.io                                       []                 []              [get list watch]
  udproutes.gateway.networking.k8s.io                                       []                 []              [get list watch]
  cloudproviders.infrastructure.gloo.solo.io                                []                 []              [get list watch]
  certificaterequests.internal.gloo.solo.io                                 []                 []              [get list watch]
  discoveredcnis.internal.gloo.solo.io                                      []                 []              [get list watch]
  discoveredgateways.internal.gloo.solo.io                                  []                 []              [get list watch]
  meshes.internal.gloo.solo.io                                              []                 []              [get list watch]
  externalendpoints.networking.gloo.solo.io                                 []                 []              [get list watch]
  externalservices.networking.gloo.solo.io                                  []                 []              [get list watch]
  externalworkloads.networking.gloo.solo.io                                 []                 []              [get list watch]
  routetables.networking.gloo.solo.io                                       []                 []              [get list watch]
  virtualdestinations.networking.gloo.solo.io                               []                 []              [get list watch]
  virtualgateways.networking.gloo.solo.io                                   []                 []              [get list watch]
  accesslogpolicies.observability.policy.gloo.solo.io                       []                 []              [get list watch]
  rolebindings.rbac.authorization.k8s.io                                    []                 []              [get list watch]
  roles.rbac.authorization.k8s.io                                           []                 []              [get list watch]
  activehealthcheckpolicies.resilience.policy.gloo.solo.io                  []                 []              [get list watch]
  connectionpolicies.resilience.policy.gloo.solo.io                         []                 []              [get list watch]
  failoverpolicies.resilience.policy.gloo.solo.io                           []                 []              [get list watch]
  faultinjectionpolicies.resilience.policy.gloo.solo.io                     []                 []              [get list watch]
  graphqlpersistedquerycachepolicies.resilience.policy.gloo.solo.io         []                 []              [get list watch]
  listenerconnectionpolicies.resilience.policy.gloo.solo.io                 []                 []              [get list watch]
  outlierdetectionpolicies.resilience.policy.gloo.solo.io                   []                 []              [get list watch]
  retrytimeoutpolicies.resilience.policy.gloo.solo.io                       []                 []              [get list watch]
  trimproxyconfigpolicies.resilience.policy.gloo.solo.io                    []                 []              [get list watch]
  accesspolicies.security.policy.gloo.solo.io                               []                 []              [get list watch]
  clienttlspolicies.security.policy.gloo.solo.io                            []                 []              [get list watch]
  corspolicies.security.policy.gloo.solo.io                                 []                 []              [get list watch]
  csrfpolicies.security.policy.gloo.solo.io                                 []                 []              [get list watch]
  dlppolicies.security.policy.gloo.solo.io                                  []                 []              [get list watch]
  extauthpolicies.security.policy.gloo.solo.io                              []                 []              [get list watch]
  graphqlallowedquerypolicies.security.policy.gloo.solo.io                  []                 []              [get list watch]
  jwtpolicies.security.policy.gloo.solo.io                                  []                 []              [get list watch]
  wafpolicies.security.policy.gloo.solo.io                                  []                 []              [get list watch]
  headermanipulationpolicies.trafficcontrol.policy.gloo.solo.io             []                 []              [get list watch]
  httpbufferpolicies.trafficcontrol.policy.gloo.solo.io                     []                 []              [get list watch]
  loadbalancerpolicies.trafficcontrol.policy.gloo.solo.io                   []                 []              [get list watch]
  mirrorpolicies.trafficcontrol.policy.gloo.solo.io                         []                 []              [get list watch]
  proxyprotocolpolicies.trafficcontrol.policy.gloo.solo.io                  []                 []              [get list watch]
  ratelimitclientconfigs.trafficcontrol.policy.gloo.solo.io                 []                 []              [get list watch]
  ratelimitpolicies.trafficcontrol.policy.gloo.solo.io                      []                 []              [get list watch]
  transformationpolicies.trafficcontrol.policy.gloo.solo.io                 []                 []              [get list watch]
  namespaces/status                                                         []                 []              [get update]
  nodes/status                                                              []                 []              [get update]
  serviceaccounts/status                                                    []                 []              [get update]
  services/status                                                           []                 []              [get update]
  dashboards.admin.gloo.solo.io/status                                      []                 []              [get update]
  extauthservers.admin.gloo.solo.io/status                                  []                 []              [get update]
  gatewaylifecyclemanagers.admin.gloo.solo.io/status                        []                 []              [get update]
  istiolifecyclemanagers.admin.gloo.solo.io/status                          []                 []              [get update]
  kubernetesclusters.admin.gloo.solo.io/status                              []                 []              [get update]
  ratelimitserverconfigs.admin.gloo.solo.io/status                          []                 []              [get update]
  ratelimitserversettings.admin.gloo.solo.io/status                         []                 []              [get update]
  roottrustpolicies.admin.gloo.solo.io/status                               []                 []              [get update]
  waypointlifecyclemanagers.admin.gloo.solo.io/status                       []                 []              [get update]
  workspaces.admin.gloo.solo.io/status                                      []                 []              [get update]
  workspacesettings.admin.gloo.solo.io/status                               []                 []              [get update]
  apidocs.apimanagement.gloo.solo.io/status                                 []                 []              [get update]
  apischemadiscoveries.apimanagement.gloo.solo.io/status                    []                 []              [get update]
  graphqlresolvermaps.apimanagement.gloo.solo.io/status                     []                 []              [get update]
  graphqlschemas.apimanagement.gloo.solo.io/status                          []                 []              [get update]
  graphqlstitchedschemas.apimanagement.gloo.solo.io/status                  []                 []              [get update]
  portalgroups.apimanagement.gloo.solo.io/status                            []                 []              [get update]
  portals.apimanagement.gloo.solo.io/status                                 []                 []              [get update]
  daemonsets.apps/status                                                    []                 []              [get update]
  deployments.apps/status                                                   []                 []              [get update]
  statefulsets.apps/status                                                  []                 []              [get update]
  ciliumnetworkpolicies.cilium.io/status                                    []                 []              [get update]
  authconfigs.extauth.solo.io/status                                        []                 []              [get update]
  wasmdeploymentpolicies.extensions.policy.gloo.solo.io/status              []                 []              [get update]
  gatewayclasses.gateway.networking.k8s.io/status                           []                 []              [get update]
  gateways.gateway.networking.k8s.io/status                                 []                 []              [get update]
  grpcroutes.gateway.networking.k8s.io/status                               []                 []              [get update]
  httproutes.gateway.networking.k8s.io/status                               []                 []              [get update]
  referencegrants.gateway.networking.k8s.io/status                          []                 []              [get update]
  tcproutes.gateway.networking.k8s.io/status                                []                 []              [get update]
  tlsroutes.gateway.networking.k8s.io/status                                []                 []              [get update]
  udproutes.gateway.networking.k8s.io/status                                []                 []              [get update]
  cloudproviders.infrastructure.gloo.solo.io/status                         []                 []              [get update]
  cloudresources.infrastructure.gloo.solo.io/status                         []                 []              [get update]
  istiooperators.install.istio.io/status                                    []                 []              [get update]
  certificaterequests.internal.gloo.solo.io/status                          []                 []              [get update]
  discoveredcnis.internal.gloo.solo.io/status                               []                 []              [get update]
  discoveredgateways.internal.gloo.solo.io/status                           []                 []              [get update]
  issuedcertificates.internal.gloo.solo.io/status                           []                 []              [get update]
  meshes.internal.gloo.solo.io/status                                       []                 []              [get update]
  portalconfigs.internal.gloo.solo.io/status                                []                 []              [get update]
  spireregistrationentries.internal.gloo.solo.io/status                     []                 []              [get update]
  externalendpoints.networking.gloo.solo.io/status                          []                 []              [get update]
  externalservices.networking.gloo.solo.io/status                           []                 []              [get update]
  externalworkloads.networking.gloo.solo.io/status                          []                 []              [get update]
  routetables.networking.gloo.solo.io/status                                []                 []              [get update]
  virtualdestinations.networking.gloo.solo.io/status                        []                 []              [get update]
  virtualgateways.networking.gloo.solo.io/status                            []                 []              [get update]
  destinationrules.networking.istio.io/status                               []                 []              [get update]
  envoyfilters.networking.istio.io/status                                   []                 []              [get update]
  gateways.networking.istio.io/status                                       []                 []              [get update]
  serviceentries.networking.istio.io/status                                 []                 []              [get update]
  sidecars.networking.istio.io/status                                       []                 []              [get update]
  virtualservices.networking.istio.io/status                                []                 []              [get update]
  workloadentries.networking.istio.io/status                                []                 []              [get update]
  accesslogpolicies.observability.policy.gloo.solo.io/status                []                 []              [get update]
  ratelimitconfigs.ratelimit.solo.io/status                                 []                 []              [get update]
  clusterrolebindings.rbac.authorization.k8s.io/status                      []                 []              [get update]
  clusterroles.rbac.authorization.k8s.io/status                             []                 []              [get update]
  rolebindings.rbac.authorization.k8s.io/status                             []                 []              [get update]
  roles.rbac.authorization.k8s.io/status                                    []                 []              [get update]
  activehealthcheckpolicies.resilience.policy.gloo.solo.io/status           []                 []              [get update]
  connectionpolicies.resilience.policy.gloo.solo.io/status                  []                 []              [get update]
  failoverpolicies.resilience.policy.gloo.solo.io/status                    []                 []              [get update]
  faultinjectionpolicies.resilience.policy.gloo.solo.io/status              []                 []              [get update]
  graphqlpersistedquerycachepolicies.resilience.policy.gloo.solo.io/status  []                 []              [get update]
  listenerconnectionpolicies.resilience.policy.gloo.solo.io/status          []                 []              [get update]
  outlierdetectionpolicies.resilience.policy.gloo.solo.io/status            []                 []              [get update]
  retrytimeoutpolicies.resilience.policy.gloo.solo.io/status                []                 []              [get update]
  trimproxyconfigpolicies.resilience.policy.gloo.solo.io/status             []                 []              [get update]
  authorizationpolicies.security.istio.io/status                            []                 []              [get update]
  peerauthentications.security.istio.io/status                              []                 []              [get update]
  accesspolicies.security.policy.gloo.solo.io/status                        []                 []              [get update]
  clienttlspolicies.security.policy.gloo.solo.io/status                     []                 []              [get update]
  corspolicies.security.policy.gloo.solo.io/status                          []                 []              [get update]
  csrfpolicies.security.policy.gloo.solo.io/status                          []                 []              [get update]
  dlppolicies.security.policy.gloo.solo.io/status                           []                 []              [get update]
  extauthpolicies.security.policy.gloo.solo.io/status                       []                 []              [get update]
  graphqlallowedquerypolicies.security.policy.gloo.solo.io/status           []                 []              [get update]
  jwtpolicies.security.policy.gloo.solo.io/status                           []                 []              [get update]
  wafpolicies.security.policy.gloo.solo.io/status                           []                 []              [get update]
  headermanipulationpolicies.trafficcontrol.policy.gloo.solo.io/status      []                 []              [get update]
  httpbufferpolicies.trafficcontrol.policy.gloo.solo.io/status              []                 []              [get update]
  loadbalancerpolicies.trafficcontrol.policy.gloo.solo.io/status            []                 []              [get update]
  mirrorpolicies.trafficcontrol.policy.gloo.solo.io/status                  []                 []              [get update]
  proxyprotocolpolicies.trafficcontrol.policy.gloo.solo.io/status           []                 []              [get update]
  ratelimitclientconfigs.trafficcontrol.policy.gloo.solo.io/status          []                 []              [get update]
  ratelimitpolicies.trafficcontrol.policy.gloo.solo.io/status               []                 []              [get update]
  transformationpolicies.trafficcontrol.policy.gloo.solo.io/status          []                 []              [get update]
  4. Repeat the previous step for each component that you want to check. The following commands check all roles and cluster roles per component and pipe the output to jq to get only the PolicyRules. Alternatively, you can check the permissions tables for each component in Review Gloo permissions.
    kubectl get clusterrole,role -l app=gloo-mesh-mgmt-server -A -o json | jq -r '.items[] | {Name: .metadata.name, PolicyRules: .rules} | select(.PolicyRules != null)'
    kubectl get clusterrole,role -l app=gloo-mesh-agent -A -o json | jq -r '.items[] | {Name: .metadata.name, PolicyRules: .rules} | select(.PolicyRules != null)'
    kubectl get clusterrole,role -l app=gloo-mesh-ui -A -o json | jq -r '.items[] | {Name: .metadata.name, PolicyRules: .rules} | select(.PolicyRules != null)'
    kubectl get clusterrole,role -l app=prometheus -A -o json | jq -r '.items[] | {Name: .metadata.name, PolicyRules: .rules} | select(.PolicyRules != null)'
    kubectl get clusterrole,role -l app=ext-auth-service -A -o json | jq -r '.items[] | {Name: .metadata.name, PolicyRules: .rules} | select(.PolicyRules != null)'
    kubectl get clusterrole,role -l app=rate-limiter -A -o json | jq -r '.items[] | {Name: .metadata.name, PolicyRules: .rules} | select(.PolicyRules != null)'
    kubectl get clusterrole,role -l app=gloo-mesh-portal-server -A -o json | jq -r '.items[] | {Name: .metadata.name, PolicyRules: .rules} | select(.PolicyRules != null)'
    kubectl get clusterrole,role -l app.kubernetes.io/instance=gloo-platform -A -o json | jq -r '.items[] | {Name: .metadata.name, PolicyRules: .rules} | select(.PolicyRules != null)'
    For the Istio operator used by Gloo’s Istio Lifecycle Manager.
    kubectl get clusterrole,role -l gloo.solo.io/parent_name=gloo-platform -A -o json | jq -r '.items[] | {Name: .metadata.name, PolicyRules: .rules} | select(.PolicyRules != null)'
    For components that are installed by the Gloo Istio Lifecycle Manager, such as istiod and the Istio gateway controller.
    kubectl get clusterrole,role -l install.operator.istio.io/owning-resource=gloo-platform -A -o json | jq -r '.items[] | {Name: .metadata.name, PolicyRules: .rules} | select(.PolicyRules != null)'
    kubectl get clusterrole,role -l operator.istio.io/component=IngressGateways -A -o json | jq -r '.items[] | {Name: .metadata.name, PolicyRules: .rules} | select(.PolicyRules != null)'
    Example output:
    {
  "Name": "istio-ingressgateway-1-18-2-sds",
  "PolicyRules": [
    {
      "apiGroups": [
        ""
      ],
      "resources": [
        "secrets"
      ],
      "verbs": [
        "get",
        "watch",
        "list"
      ]
    }
  ]
}
Review Gloo permissions

Review the following tables that describe the default permissions by Gloo component. For steps to check these permissions in your cluster setup, see Check default RBAC setup. For steps to modify these permission, see Restrict default permissions.
The Gloo management server needs access to many Kubernetes and all Gloo custom resources to manage Gloo resources. These actions include writing Gloo resources, managing the status of Gloo resources, writing output objects for Gloo resources such as translated Istio objects, and performing leader election when you have multiple server replicas.
ResourceGranted byAllowed verbs
configmapsgloo-mesh-mgmt-server-gloo-mesh cluster role* (all)
namespacesgloo-mesh-mgmt-server-gloo-mesh cluster role* (all)
podsgloo-mesh-mgmt-server-gloo-mesh cluster role* (all)
serviceaccountsgloo-mesh-mgmt-server-gloo-mesh cluster role* (all)
servicesgloo-mesh-mgmt-server-gloo-mesh cluster role* (all)
mutatingwebhookconfigurations.admissionregistration.k8s.iogloo-mesh-mgmt-server-gloo-mesh cluster role* (all)
validatingwebhookconfigurations.admissionregistration.k8s.iogloo-mesh-mgmt-server-gloo-mesh cluster role* (all)
apidocs.apimanagement.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster role* (all)
deployments.appsgloo-mesh-mgmt-server-gloo-mesh cluster role* (all)
ciliumnetworkpolicies.cilium.iogloo-mesh-mgmt-server-gloo-mesh cluster role* (all)
leases.coordination.k8s.iogloo-mesh-mgmt-server-gloo-mesh cluster role* (all)
authconfigs.extauth.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster role* (all)
gateways.gateway.networking.k8s.iogloo-mesh-mgmt-server-gloo-mesh cluster role* (all)
cloudresources.infrastructure.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster role* (all)
istiooperators.install.istio.iogloo-mesh-mgmt-server-gloo-mesh cluster role* (all)
issuedcertificates.internal.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster role* (all)
portalconfigs.internal.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster role* (all)
spireregistrationentries.internal.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster role* (all)
xdsconfigs.internal.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster role* (all)
destinationrules.networking.istio.iogloo-mesh-mgmt-server-gloo-mesh cluster role* (all)
envoyfilters.networking.istio.iogloo-mesh-mgmt-server-gloo-mesh cluster role* (all)
gateways.networking.istio.iogloo-mesh-mgmt-server-gloo-mesh cluster role* (all)
serviceentries.networking.istio.iogloo-mesh-mgmt-server-gloo-mesh cluster role* (all)
sidecars.networking.istio.iogloo-mesh-mgmt-server-gloo-mesh cluster role* (all)
virtualservices.networking.istio.iogloo-mesh-mgmt-server-gloo-mesh cluster role* (all)
workloadentries.networking.istio.iogloo-mesh-mgmt-server-gloo-mesh cluster role* (all)
workloadgroups.networking.istio.iogloo-mesh-mgmt-server-gloo-mesh cluster role* (all)
networkpolicies.networking.k8s.iogloo-mesh-mgmt-server-gloo-mesh cluster role* (all)
ratelimitconfigs.ratelimit.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster role* (all)
clusterrolebindings.rbac.authorization.k8s.iogloo-mesh-mgmt-server-gloo-mesh cluster role* (all)
clusterroles.rbac.authorization.k8s.iogloo-mesh-mgmt-server-gloo-mesh cluster role* (all)
authorizationpolicies.security.istio.iogloo-mesh-mgmt-server-gloo-mesh cluster role* (all)
peerauthentications.security.istio.iogloo-mesh-mgmt-server-gloo-mesh cluster role* (all)
nodesgloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
dashboards.admin.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
extauthservers.admin.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
gatewaylifecyclemanagers.admin.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
istiolifecyclemanagers.admin.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
kubernetesclusters.admin.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
ratelimitserverconfigs.admin.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
ratelimitserversettings.admin.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
roottrustpolicies.admin.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
waypointlifecyclemanagers.admin.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
workspaces.admin.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
workspacesettings.admin.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
customresourcedefinitions.apiextensions.k8s.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
apischemadiscoveries.apimanagement.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
graphqlresolvermaps.apimanagement.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
graphqlschemas.apimanagement.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
graphqlstitchedschemas.apimanagement.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
portalgroups.apimanagement.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
portals.apimanagement.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
daemonsets.appsgloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
statefulsets.appsgloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
wasmdeploymentpolicies.extensions.policy.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
gatewayclasses.gateway.networking.k8s.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
grpcroutes.gateway.networking.k8s.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
httproutes.gateway.networking.k8s.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
referencegrants.gateway.networking.k8s.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
tcproutes.gateway.networking.k8s.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
tlsroutes.gateway.networking.k8s.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
udproutes.gateway.networking.k8s.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
cloudproviders.infrastructure.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
certificaterequests.internal.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
discoveredcnis.internal.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
discoveredgateways.internal.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
meshes.internal.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
externalendpoints.networking.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
externalservices.networking.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
externalworkloads.networking.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
routetables.networking.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
virtualdestinations.networking.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
virtualgateways.networking.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
accesslogpolicies.observability.policy.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
rolebindings.rbac.authorization.k8s.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
roles.rbac.authorization.k8s.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
activehealthcheckpolicies.resilience.policy.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
connectionpolicies.resilience.policy.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
failoverpolicies.resilience.policy.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
faultinjectionpolicies.resilience.policy.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
graphqlpersistedquerycachepolicies.resilience.policy.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
listenerconnectionpolicies.resilience.policy.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
outlierdetectionpolicies.resilience.policy.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
retrytimeoutpolicies.resilience.policy.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
trimproxyconfigpolicies.resilience.policy.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
accesspolicies.security.policy.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
clienttlspolicies.security.policy.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
corspolicies.security.policy.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
csrfpolicies.security.policy.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
dlppolicies.security.policy.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
extauthpolicies.security.policy.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
graphqlallowedquerypolicies.security.policy.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
jwtpolicies.security.policy.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
wafpolicies.security.policy.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
headermanipulationpolicies.trafficcontrol.policy.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
httpbufferpolicies.trafficcontrol.policy.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
loadbalancerpolicies.trafficcontrol.policy.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
mirrorpolicies.trafficcontrol.policy.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
proxyprotocolpolicies.trafficcontrol.policy.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
ratelimitclientconfigs.trafficcontrol.policy.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
ratelimitpolicies.trafficcontrol.policy.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
transformationpolicies.trafficcontrol.policy.gloo.solo.iogloo-mesh-mgmt-server-gloo-mesh cluster roleget, list, watch
namespaces/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
nodes/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
serviceaccounts/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
services/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
dashboards.admin.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
extauthservers.admin.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
gatewaylifecyclemanagers.admin.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
istiolifecyclemanagers.admin.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
kubernetesclusters.admin.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
ratelimitserverconfigs.admin.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
ratelimitserversettings.admin.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
roottrustpolicies.admin.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
waypointlifecyclemanagers.admin.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
workspaces.admin.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
workspacesettings.admin.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
apidocs.apimanagement.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
apischemadiscoveries.apimanagement.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
graphqlresolvermaps.apimanagement.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
graphqlschemas.apimanagement.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
graphqlstitchedschemas.apimanagement.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
portalgroups.apimanagement.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
portals.apimanagement.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
daemonsets.apps/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
deployments.apps/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
statefulsets.apps/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
ciliumnetworkpolicies.cilium.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
authconfigs.extauth.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
wasmdeploymentpolicies.extensions.policy.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
gatewayclasses.gateway.networking.k8s.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
gateways.gateway.networking.k8s.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
grpcroutes.gateway.networking.k8s.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
httproutes.gateway.networking.k8s.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
referencegrants.gateway.networking.k8s.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
tcproutes.gateway.networking.k8s.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
tlsroutes.gateway.networking.k8s.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
udproutes.gateway.networking.k8s.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
cloudproviders.infrastructure.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
cloudresources.infrastructure.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
istiooperators.install.istio.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
certificaterequests.internal.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
discoveredcnis.internal.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
discoveredgateways.internal.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
issuedcertificates.internal.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
meshes.internal.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
portalconfigs.internal.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
spireregistrationentries.internal.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
externalendpoints.networking.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
externalservices.networking.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
externalworkloads.networking.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
routetables.networking.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
virtualdestinations.networking.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
virtualgateways.networking.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
destinationrules.networking.istio.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
envoyfilters.networking.istio.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
gateways.networking.istio.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
serviceentries.networking.istio.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
sidecars.networking.istio.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
virtualservices.networking.istio.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
workloadentries.networking.istio.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
accesslogpolicies.observability.policy.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
ratelimitconfigs.ratelimit.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
clusterrolebindings.rbac.authorization.k8s.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
clusterroles.rbac.authorization.k8s.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
rolebindings.rbac.authorization.k8s.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
roles.rbac.authorization.k8s.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
activehealthcheckpolicies.resilience.policy.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
connectionpolicies.resilience.policy.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
failoverpolicies.resilience.policy.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
faultinjectionpolicies.resilience.policy.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
graphqlpersistedquerycachepolicies.resilience.policy.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
listenerconnectionpolicies.resilience.policy.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
outlierdetectionpolicies.resilience.policy.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
retrytimeoutpolicies.resilience.policy.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
trimproxyconfigpolicies.resilience.policy.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
authorizationpolicies.security.istio.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
peerauthentications.security.istio.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
accesspolicies.security.policy.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
clienttlspolicies.security.policy.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
corspolicies.security.policy.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
csrfpolicies.security.policy.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
dlppolicies.security.policy.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
extauthpolicies.security.policy.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
graphqlallowedquerypolicies.security.policy.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
jwtpolicies.security.policy.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
wafpolicies.security.policy.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
headermanipulationpolicies.trafficcontrol.policy.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
httpbufferpolicies.trafficcontrol.policy.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
loadbalancerpolicies.trafficcontrol.policy.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
mirrorpolicies.trafficcontrol.policy.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
proxyprotocolpolicies.trafficcontrol.policy.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
ratelimitclientconfigs.trafficcontrol.policy.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
ratelimitpolicies.trafficcontrol.policy.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
transformationpolicies.trafficcontrol.policy.gloo.solo.io/statusgloo-mesh-mgmt-server-gloo-mesh cluster roleget, update
secretsgloo-mesh-mgmt-server-gloo-platform-gloo-mesh-namespaced cluster role* (all)
secrets/statusgloo-mesh-mgmt-server-gloo-platform-gloo-mesh-namespaced cluster roleget, update
The Gloo agent needs access to many Kubernetes and all Gloo custom resources to manage Gloo resources in workload clusters. These actions include discovering core Kubernetes objects, writing Gloo resources, managing the status of Gloo resources, rotating certificates as needed, and performing leader election when you have multiple agent replicas. The agent also needs access to deploy, set up CRDs, and configure Kubernetes RBAC access for managing the Istio lifecycle manager (ILM).
ResourceGranted byAllowed verbs
configmapsgloo-mesh-agent-gloo-mesh cluster role* (all)
namespacesgloo-mesh-agent-gloo-mesh cluster role* (all)
podsgloo-mesh-agent-gloo-mesh cluster role* (all)
serviceaccountsgloo-mesh-agent-gloo-mesh cluster role* (all)
servicesgloo-mesh-agent-gloo-mesh cluster role* (all)
mutatingwebhookconfigurations.admissionregistration.k8s.iogloo-mesh-agent-gloo-mesh cluster role* (all)
validatingwebhookconfigurations.admissionregistration.k8s.iogloo-mesh-agent-gloo-mesh cluster role* (all)
customresourcedefinitions.apiextensions.k8s.iogloo-mesh-agent-gloo-mesh cluster role* (all)
apidocs.apimanagement.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster role* (all)
deployments.appsgloo-mesh-agent-gloo-mesh cluster role* (all)
ciliumnetworkpolicies.cilium.iogloo-mesh-agent-gloo-mesh cluster role* (all)
leases.coordination.k8s.iogloo-mesh-agent-gloo-mesh cluster role* (all)
authconfigs.extauth.solo.iogloo-mesh-agent-gloo-mesh cluster role* (all)
gateways.gateway.networking.k8s.iogloo-mesh-agent-gloo-mesh cluster role* (all)
cloudresources.infrastructure.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster role* (all)
istiooperators.install.istio.iogloo-mesh-agent-gloo-mesh cluster role* (all)
certificaterequests.internal.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster role* (all)
discoveredcnis.internal.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster role* (all)
discoveredgateways.internal.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster role* (all)
issuedcertificates.internal.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster role* (all)
meshes.internal.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster role* (all)
podbouncedirectives.internal.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster role* (all)
portalconfigs.internal.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster role* (all)
spireregistrationentries.internal.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster role* (all)
xdsconfigs.internal.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster role* (all)
destinationrules.networking.istio.iogloo-mesh-agent-gloo-mesh cluster role* (all)
envoyfilters.networking.istio.iogloo-mesh-agent-gloo-mesh cluster role* (all)
gateways.networking.istio.iogloo-mesh-agent-gloo-mesh cluster role* (all)
serviceentries.networking.istio.iogloo-mesh-agent-gloo-mesh cluster role* (all)
sidecars.networking.istio.iogloo-mesh-agent-gloo-mesh cluster role* (all)
virtualservices.networking.istio.iogloo-mesh-agent-gloo-mesh cluster role* (all)
workloadentries.networking.istio.iogloo-mesh-agent-gloo-mesh cluster role* (all)
workloadgroups.networking.istio.iogloo-mesh-agent-gloo-mesh cluster role* (all)
networkpolicies.networking.k8s.iogloo-mesh-agent-gloo-mesh cluster role* (all)
ratelimitconfigs.ratelimit.solo.iogloo-mesh-agent-gloo-mesh cluster role* (all)
clusterrolebindings.rbac.authorization.k8s.iogloo-mesh-agent-gloo-mesh cluster role* (all)
clusterroles.rbac.authorization.k8s.iogloo-mesh-agent-gloo-mesh cluster role* (all)
authorizationpolicies.security.istio.iogloo-mesh-agent-gloo-mesh cluster role* (all)
peerauthentications.security.istio.iogloo-mesh-agent-gloo-mesh cluster role* (all)
nodesgloo-mesh-agent-gloo-mesh cluster roleget, list, watch
dashboards.admin.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster roleget, list, watch
extauthservers.admin.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster roleget, list, watch
gatewaylifecyclemanagers.admin.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster roleget, list, watch
istiolifecyclemanagers.admin.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster roleget, list, watch
kubernetesclusters.admin.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster roleget, list, watch
ratelimitserverconfigs.admin.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster roleget, list, watch
ratelimitserversettings.admin.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster roleget, list, watch
roottrustpolicies.admin.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster roleget, list, watch
waypointlifecyclemanagers.admin.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster roleget, list, watch
workspaces.admin.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster roleget, list, watch
workspacesettings.admin.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster roleget, list, watch
apischemadiscoveries.apimanagement.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster roleget, list, watch
graphqlresolvermaps.apimanagement.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster roleget, list, watch
graphqlschemas.apimanagement.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster roleget, list, watch
graphqlstitchedschemas.apimanagement.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster roleget, list, watch
portalgroups.apimanagement.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster roleget, list, watch
portals.apimanagement.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster roleget, list, watch
daemonsets.appsgloo-mesh-agent-gloo-mesh cluster roleget, list, watch
replicasets.appsgloo-mesh-agent-gloo-mesh cluster roleget, list, watch
statefulsets.appsgloo-mesh-agent-gloo-mesh cluster roleget, list, watch
wasmdeploymentpolicies.extensions.policy.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster roleget, list, watch
cloudproviders.infrastructure.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster roleget, list, watch
externalendpoints.networking.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster roleget, list, watch
externalservices.networking.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster roleget, list, watch
externalworkloads.networking.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster roleget, list, watch
routetables.networking.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster roleget, list, watch
virtualdestinations.networking.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster roleget, list, watch
virtualgateways.networking.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster roleget, list, watch
accesslogpolicies.observability.policy.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster roleget, list, watch
rolebindings.rbac.authorization.k8s.iogloo-mesh-agent-gloo-mesh cluster roleget, list, watch
roles.rbac.authorization.k8s.iogloo-mesh-agent-gloo-mesh cluster roleget, list, watch
activehealthcheckpolicies.resilience.policy.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster roleget, list, watch
connectionpolicies.resilience.policy.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster roleget, list, watch
failoverpolicies.resilience.policy.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster roleget, list, watch
faultinjectionpolicies.resilience.policy.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster roleget, list, watch
graphqlpersistedquerycachepolicies.resilience.policy.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster roleget, list, watch
listenerconnectionpolicies.resilience.policy.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster roleget, list, watch
outlierdetectionpolicies.resilience.policy.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster roleget, list, watch
retrytimeoutpolicies.resilience.policy.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster roleget, list, watch
trimproxyconfigpolicies.resilience.policy.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster roleget, list, watch
accesspolicies.security.policy.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster roleget, list, watch
clienttlspolicies.security.policy.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster roleget, list, watch
corspolicies.security.policy.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster roleget, list, watch
csrfpolicies.security.policy.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster roleget, list, watch
dlppolicies.security.policy.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster roleget, list, watch
extauthpolicies.security.policy.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster roleget, list, watch
graphqlallowedquerypolicies.security.policy.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster roleget, list, watch
jwtpolicies.security.policy.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster roleget, list, watch
wafpolicies.security.policy.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster roleget, list, watch
headermanipulationpolicies.trafficcontrol.policy.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster roleget, list, watch
httpbufferpolicies.trafficcontrol.policy.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster roleget, list, watch
loadbalancerpolicies.trafficcontrol.policy.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster roleget, list, watch
mirrorpolicies.trafficcontrol.policy.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster roleget, list, watch
proxyprotocolpolicies.trafficcontrol.policy.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster roleget, list, watch
ratelimitclientconfigs.trafficcontrol.policy.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster roleget, list, watch
ratelimitpolicies.trafficcontrol.policy.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster roleget, list, watch
transformationpolicies.trafficcontrol.policy.gloo.solo.iogloo-mesh-agent-gloo-mesh cluster roleget, list, watch
configmaps/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
namespaces/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
nodes/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
pods/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
serviceaccounts/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
services/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
dashboards.admin.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
extauthservers.admin.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
gatewaylifecyclemanagers.admin.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
istiolifecyclemanagers.admin.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
kubernetesclusters.admin.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
ratelimitserverconfigs.admin.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
ratelimitserversettings.admin.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
roottrustpolicies.admin.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
waypointlifecyclemanagers.admin.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
workspaces.admin.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
workspacesettings.admin.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
mutatingwebhookconfigurations.admissionregistration.k8s.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
validatingwebhookconfigurations.admissionregistration.k8s.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
apidocs.apimanagement.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
apischemadiscoveries.apimanagement.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
graphqlresolvermaps.apimanagement.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
graphqlschemas.apimanagement.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
graphqlstitchedschemas.apimanagement.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
portalgroups.apimanagement.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
portals.apimanagement.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
daemonsets.apps/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
deployments.apps/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
replicasets.apps/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
statefulsets.apps/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
ciliumnetworkpolicies.cilium.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
authconfigs.extauth.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
wasmdeploymentpolicies.extensions.policy.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
gateways.gateway.networking.k8s.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
cloudproviders.infrastructure.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
cloudresources.infrastructure.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
istiooperators.install.istio.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
certificaterequests.internal.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
discoveredcnis.internal.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
discoveredgateways.internal.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
issuedcertificates.internal.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
meshes.internal.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
podbouncedirectives.internal.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
portalconfigs.internal.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
spireregistrationentries.internal.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
xdsconfigs.internal.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
externalendpoints.networking.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
externalservices.networking.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
externalworkloads.networking.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
routetables.networking.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
virtualdestinations.networking.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
virtualgateways.networking.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
destinationrules.networking.istio.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
envoyfilters.networking.istio.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
gateways.networking.istio.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
serviceentries.networking.istio.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
sidecars.networking.istio.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
virtualservices.networking.istio.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
workloadentries.networking.istio.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
workloadgroups.networking.istio.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
networkpolicies.networking.k8s.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
accesslogpolicies.observability.policy.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
ratelimitconfigs.ratelimit.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
clusterrolebindings.rbac.authorization.k8s.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
clusterroles.rbac.authorization.k8s.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
activehealthcheckpolicies.resilience.policy.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
connectionpolicies.resilience.policy.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
failoverpolicies.resilience.policy.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
faultinjectionpolicies.resilience.policy.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
graphqlpersistedquerycachepolicies.resilience.policy.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
listenerconnectionpolicies.resilience.policy.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
outlierdetectionpolicies.resilience.policy.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
retrytimeoutpolicies.resilience.policy.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
trimproxyconfigpolicies.resilience.policy.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
authorizationpolicies.security.istio.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
peerauthentications.security.istio.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
accesspolicies.security.policy.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
clienttlspolicies.security.policy.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
corspolicies.security.policy.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
csrfpolicies.security.policy.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
dlppolicies.security.policy.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
extauthpolicies.security.policy.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
graphqlallowedquerypolicies.security.policy.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
jwtpolicies.security.policy.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
wafpolicies.security.policy.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
headermanipulationpolicies.trafficcontrol.policy.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
httpbufferpolicies.trafficcontrol.policy.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
loadbalancerpolicies.trafficcontrol.policy.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
mirrorpolicies.trafficcontrol.policy.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
proxyprotocolpolicies.trafficcontrol.policy.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
ratelimitclientconfigs.trafficcontrol.policy.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
ratelimitpolicies.trafficcontrol.policy.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
transformationpolicies.trafficcontrol.policy.gloo.solo.io/statusgloo-mesh-agent-gloo-mesh cluster roleget, update
secretsgloo-mesh-agent-gloo-platform-gloo-mesh-namespaced cluster role* (all)
secrets/statusgloo-mesh-agent-gloo-platform-gloo-mesh-namespaced cluster roleget, update
The Gloo UI needs access to many Kubernetes and all Gloo custom resources to display in the dashboard.
ResourceGranted byAllowed verbs
configmapsgloo-mesh-ui-gloo-mesh cluster roleget, list, watch
namespacesgloo-mesh-ui-gloo-mesh cluster roleget, list, watch
nodesgloo-mesh-ui-gloo-mesh cluster roleget, list, watch
serviceaccountsgloo-mesh-ui-gloo-mesh cluster roleget, list, watch
servicesgloo-mesh-ui-gloo-mesh cluster roleget, list, watch
dashboards.admin.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
extauthservers.admin.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
gatewaylifecyclemanagers.admin.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
istiolifecyclemanagers.admin.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
kubernetesclusters.admin.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
ratelimitserverconfigs.admin.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
ratelimitserversettings.admin.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
roottrustpolicies.admin.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
waypointlifecyclemanagers.admin.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
workspaces.admin.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
workspacesettings.admin.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
apidocs.apimanagement.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
apischemadiscoveries.apimanagement.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
graphqlresolvermaps.apimanagement.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
graphqlschemas.apimanagement.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
graphqlstitchedschemas.apimanagement.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
portalgroups.apimanagement.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
portals.apimanagement.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
daemonsets.appsgloo-mesh-ui-gloo-mesh cluster roleget, list, watch
deployments.appsgloo-mesh-ui-gloo-mesh cluster roleget, list, watch
statefulsets.appsgloo-mesh-ui-gloo-mesh cluster roleget, list, watch
ciliumnetworkpolicies.cilium.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
authconfigs.extauth.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
wasmdeploymentpolicies.extensions.policy.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
gatewayclasses.gateway.networking.k8s.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
gateways.gateway.networking.k8s.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
grpcroutes.gateway.networking.k8s.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
httproutes.gateway.networking.k8s.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
referencegrants.gateway.networking.k8s.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
tcproutes.gateway.networking.k8s.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
tlsroutes.gateway.networking.k8s.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
udproutes.gateway.networking.k8s.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
cloudproviders.infrastructure.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
cloudresources.infrastructure.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
istiooperators.install.istio.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
discoveredcnis.internal.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
discoveredgateways.internal.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
meshes.internal.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
portalconfigs.internal.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
spireregistrationentries.internal.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
externalendpoints.networking.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
externalservices.networking.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
externalworkloads.networking.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
routetables.networking.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
virtualdestinations.networking.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
virtualgateways.networking.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
destinationrules.networking.istio.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
envoyfilters.networking.istio.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
gateways.networking.istio.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
serviceentries.networking.istio.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
sidecars.networking.istio.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
virtualservices.networking.istio.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
workloadentries.networking.istio.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
accesslogpolicies.observability.policy.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
ratelimitconfigs.ratelimit.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
clusterrolebindings.rbac.authorization.k8s.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
clusterroles.rbac.authorization.k8s.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
rolebindings.rbac.authorization.k8s.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
roles.rbac.authorization.k8s.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
activehealthcheckpolicies.resilience.policy.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
connectionpolicies.resilience.policy.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
failoverpolicies.resilience.policy.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
faultinjectionpolicies.resilience.policy.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
graphqlpersistedquerycachepolicies.resilience.policy.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
listenerconnectionpolicies.resilience.policy.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
outlierdetectionpolicies.resilience.policy.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
retrytimeoutpolicies.resilience.policy.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
trimproxyconfigpolicies.resilience.policy.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
authorizationpolicies.security.istio.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
peerauthentications.security.istio.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
accesspolicies.security.policy.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
clienttlspolicies.security.policy.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
corspolicies.security.policy.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
csrfpolicies.security.policy.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
dlppolicies.security.policy.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
extauthpolicies.security.policy.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
graphqlallowedquerypolicies.security.policy.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
jwtpolicies.security.policy.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
wafpolicies.security.policy.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
headermanipulationpolicies.trafficcontrol.policy.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
httpbufferpolicies.trafficcontrol.policy.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
loadbalancerpolicies.trafficcontrol.policy.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
mirrorpolicies.trafficcontrol.policy.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
proxyprotocolpolicies.trafficcontrol.policy.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
ratelimitclientconfigs.trafficcontrol.policy.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
ratelimitpolicies.trafficcontrol.policy.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
transformationpolicies.trafficcontrol.policy.gloo.solo.iogloo-mesh-ui-gloo-mesh cluster roleget, list, watch
configmaps/statusgloo-mesh-ui-gloo-mesh cluster roleget, update
dashboards.admin.gloo.solo.io/statusgloo-mesh-ui-gloo-mesh cluster roleget, update
kubernetesclusters.admin.gloo.solo.io/statusgloo-mesh-ui-gloo-mesh cluster roleget, update
secretsgloo-mesh-ui-gloo-platform-gloo-mesh-namespaced cluster roleget, list, watch
secrets/statusgloo-mesh-ui-gloo-platform-gloo-mesh-namespaced cluster roleget, update
The Prometheus server needs access to various resources to collect metrics for cluster components and network traffic.
ResourceGranted byAllowed verbs
configmapsprometheus-server cluster roleget, list, watch
endpointsprometheus-server cluster roleget, list, watch
ingressesprometheus-server cluster roleget, list, watch
nodes/metricsprometheus-server cluster roleget, list, watch
nodes/proxyprometheus-server cluster roleget, list, watch
nodesprometheus-server cluster roleget, list, watch
podsprometheus-server cluster roleget, list, watch
servicesprometheus-server cluster roleget, list, watch
ingresses.extensions/statusprometheus-server cluster roleget, list, watch
ingresses.extensionsprometheus-server cluster roleget, list, watch
ingresses.networking.k8s.io/statusprometheus-server cluster roleget, list, watch
ingresses.networking.k8s.ioprometheus-server cluster roleget, list, watch
/metricsprometheus-server cluster roleget
The external auth service needs access to several Kubernetes and Gloo custom resources to enforce authentication on requests. For example, config maps and secrets might have information that the external auth service needs to authenticate requests, such as an API key. Other resources such as leases are used for leader election when you have multiple replicas.
ResourceGranted byAllowed verbs
eventsext-auth-service-gloo-mesh cluster role* (all)
leases.coordination.k8s.ioext-auth-service-gloo-mesh cluster role* (all)
configmapsext-auth-service-gloo-mesh cluster roleget, list, watch
authconfigs.extauth.solo.ioext-auth-service-gloo-mesh cluster roleget, list, watch
authconfigs.extauth.solo.io/statusext-auth-service-gloo-mesh cluster roleget, update
secretsext-auth-service-gloo-platform-gloo-mesh-namespaced cluster roleget, list, watch
The rate limiter needs access to Gloo custom resources to configure rate limiting on requests.
ResourceGranted byAllowed verbs
ratelimitconfigs.ratelimit.solo.iorate-limiter cluster roleget, list, watch
ratelimitconfigs.ratelimit.solo.io/statusrate-limiter cluster roleget, update
The Gloo portal server needs access to Gloo custom resources to display API products in an end-user facing developer portal.
ResourceGranted byAllowed verbs
apidocs.apimanagement.gloo.solo.iogloo-mesh-portal-server-gloo-mesh cluster roleget, list, watch
portalconfigs.internal.gloo.solo.iogloo-mesh-portal-server-gloo-mesh cluster roleget, list, watch
The OpenTelemetry (OTel) gateways and collectors need access to various resources to collect metrics, logs, and traces for the components in your cluster.
ResourceGranted byAllowed verbs
configmapsgloo-telemetry-* cluster rolesget, list, watch
endpointsgloo-telemetry-* cluster rolesget, list, watch
ingressesgloo-telemetry-* cluster rolesget, list, watch
nodes/metricsgloo-telemetry-* cluster rolesget, list, watch
nodes/proxygloo-telemetry-* cluster rolesget, list, watch
nodesgloo-telemetry-* cluster rolesget, list, watch
podsgloo-telemetry-* cluster rolesget, list, watch
servicesgloo-telemetry-* cluster rolesget, list, watch
ingresses.extensions/statusgloo-telemetry-* cluster rolesget, list, watch
ingresses.extensionsgloo-telemetry-* cluster rolesget, list, watch
ingresses.networking.k8s.io/statusgloo-telemetry-* cluster rolesget, list, watch
ingresses.networking.k8s.iogloo-telemetry-* cluster rolesget, list, watch
/metrics endpointgloo-telemetry-* cluster rolesget
The Istio operator that is used by the Gloo Istio Lifecycle Manager needs access to various resources such as Istio as well as Kubernetes resources to deploy Istio.
ResourceGranted byAllowed verbs
configmapsistio-operator-* cluster role* (all)
endpointsistio-operator-* cluster role* (all)
eventsistio-operator-* cluster role* (all)
namespacesistio-operator-* cluster role* (all)
persistentvolumeclaimsistio-operator-* cluster role* (all)
pods/portforwardistio-operator-* cluster role* (all)
pods/proxyistio-operator-* cluster role* (all)
podsistio-operator-* cluster role* (all)
secretsistio-operator-* cluster role* (all)
serviceaccountsistio-operator-* cluster role* (all)
servicesistio-operator-* cluster role* (all)
mutatingwebhookconfigurations.admissionregistration.k8s.ioistio-operator-* cluster role* (all)
validatingwebhookconfigurations.admissionregistration.k8s.ioistio-operator-* cluster role* (all)
customresourcedefinitions.apiextensions.k8s.io.apiextensions.k8s.ioistio-operator-* cluster role* (all)
customresourcedefinitions.apiextensions.k8s.ioistio-operator-* cluster role* (all)
daemonsets.appsistio-operator-* cluster role* (all)
deployments.apps/finalizersistio-operator-* cluster role* (all)
deployments.appsistio-operator-* cluster role* (all)
replicasets.appsistio-operator-* cluster role* (all)
*.authentication.istio.ioistio-operator-* cluster role* (all)
horizontalpodautoscalers.autoscalingistio-operator-* cluster role* (all)
*.config.istio.ioistio-operator-* cluster role* (all)
daemonsets.extensionsistio-operator-* cluster role* (all)
deployments.extensions/finalizersistio-operator-* cluster role* (all)
deployments.extensionsistio-operator-* cluster role* (all)
replicasets.extensionsistio-operator-* cluster role* (all)
*.install.istio.ioistio-operator-* cluster role* (all)
*.networking.istio.ioistio-operator-* cluster role* (all)
poddisruptionbudgets.policyistio-operator-* cluster role* (all)
clusterrolebindings.rbac.authorization.k8s.ioistio-operator-* cluster role* (all)
clusterroles.rbac.authorization.k8s.ioistio-operator-* cluster role* (all)
rolebindings.rbac.authorization.k8s.ioistio-operator-* cluster role* (all)
roles.rbac.authorization.k8s.ioistio-operator-* cluster role* (all)
*.security.istio.ioistio-operator-* cluster role* (all)
leases.coordination.k8s.ioistio-operator-* cluster roleget, create, update
servicemonitors.monitoring.coreos.comistio-operator-* cluster roleget, create, update
Istio is automatically set up when you install Gloo Mesh Gateway to manage Envoy-based proxies such as the Istio ingress gateway. Istiod needs access to all of the Istio custom resources to manage Istio. It also needs access to some Kubernetes resources to deploy the gateway, manage secrets for mutual TLS, or inject sidecars as needed.
ResourceGranted byAllowed verbs
secretsistiod-* roles in istio-system namespacecreate, get, watch, list, update, delete
gatewaysistiod-* roles in istio-system namespacecreate
configmapsVersioned istiod role in istio-system namespacedelete
leasesVersioned istiod role in istio-system namespaceget, update, patch, create
tokenreviews.authentication.k8s.ioistio-reader-* cluster rolescreate
subjectaccessreviews.authorization.k8s.ioistio-reader-* cluster rolescreate
serviceexports.multicluster.x-k8s.ioistio-reader-* cluster rolesget, list, watch, create, delete
endpointsistio-reader-* cluster rolesget, list, watch
namespacesistio-reader-* cluster rolesget, list, watch
nodesistio-reader-* cluster rolesget, list, watch
podsistio-reader-* cluster rolesget, list, watch
replicationcontrollersistio-reader-* cluster rolesget, list, watch
secretsistio-reader-* cluster rolesget, list, watch
servicesistio-reader-* cluster rolesget, list, watch
customresourcedefinitions.apiextensions.k8s.ioistio-reader-* cluster rolesget, list, watch
replicasets.appsistio-reader-* cluster rolesget, list, watch
*.authentication.istio.ioistio-reader-* cluster rolesget, list, watch
*.config.istio.ioistio-reader-* cluster rolesget, list, watch
endpointslices.discovery.k8s.ioistio-reader-* cluster rolesget, list, watch
serviceimports.multicluster.x-k8s.ioistio-reader-* cluster rolesget, list, watch
*.networking.istio.ioistio-reader-* cluster rolesget, list, watch
*.rbac.istio.ioistio-reader-* cluster rolesget, list, watch
*.security.istio.ioistio-reader-* cluster rolesget, list, watch
workloadentries.networking.istio.ioistio-reader-* cluster rolesget, watch, list
ingresses.networking.k8s.io/statusistiod-* cluster roles* (all)
signers.certificates.istiod-* cluster rolesapprove
configmapsistiod-* cluster rolescreate, get, list, watch, update
gatewayclasses.gateway.networking.k8s.ioistiod-* cluster rolescreate, update, patch, delete
tokenreviews.authentication.k8s.ioistiod-* cluster rolescreate
subjectaccessreviews.authorization.k8s.ioistiod-* cluster rolescreate
mutatingwebhookconfigurations.admissionregistration.k8s.ioistiod-* cluster rolesget, list, watch update patch
validatingwebhookconfigurations.admissionregistration.k8s.ioistiod-* cluster rolesget, list, watch update
endpointsistiod-* cluster rolesget, list, watch
namespacesistiod-* cluster rolesget, list, watch
nodesistiod-* cluster rolesget, list, watch
podsistiod-* cluster rolesget, list, watch
servicesistiod-* cluster rolesget, list, watch
customresourcedefinitions.apiextensions.k8s.ioistiod-* cluster rolesget, list, watch
endpointslices.discovery.k8s.ioistiod-* cluster rolesget, list, watch
ingressclasses.networking.k8s.ioistiod-* cluster rolesget, list, watch
ingresses.networking.k8s.ioistiod-* cluster rolesget, list, watch
serviceexports.multicluster.x-k8s.ioistiod-* cluster rolesget, watch, list create delete
workloadentries.networking.istio.io/statusistiod-* cluster rolesget watch, list, update, patch, create, delete
workloadentries.networking.istio.ioistiod-* cluster rolesget watch, list, update, patch, create, delete
*.gateway.networking.k8s.ioistiod-* cluster rolesget, watch, list update patch
*.networking.x-k8s.ioistiod-* cluster rolesget, watch, list update patch
secretsistiod-* cluster rolesget, watch, list
*.authentication.istio.ioistiod-* cluster rolesget, watch, list
*.config.istio.ioistiod-* cluster rolesget, watch, list
*.extensions.istio.ioistiod-* cluster rolesget, watch, list
serviceimports.multicluster.x-k8s.ioistiod-* cluster rolesget, watch, list
*.networking.istio.ioistiod-* cluster rolesget, watch, list
*.rbac.istio.ioistiod-* cluster rolesget, watch, list
*.security.istio.ioistiod-* cluster rolesget, watch, list
*.telemetry.istio.ioistiod-* cluster rolesget, watch, list
certificatesigningrequests.certificates.k8s.io/approvalistiod-* cluster rolesupdate, create, get, delete, watch
certificatesigningrequests.certificates.k8s.io/statusistiod-* cluster rolesupdate, create, get, delete, watch
certificatesigningrequests.certificates.k8s.ioistiod-* cluster rolesupdate, create, get, delete, watch
serviceaccountsistiod-* cluster rolesget watch, list, update, patch, create, delete
servicesistiod-* cluster rolesget watch, list, update, patch, create, delete
deployments.appsistiod-* cluster rolesget watch, list, update, patch, create, delete
By default, Gloo Mesh Gateway sets up one Istio ingress gateway in the gloo-mesh-gateways namespace. You can also set up multiple Istio ingress gateways to back your Gloo virtual gateways. The gateway needs to check secrets such as certs to secure traffic via an HTTPS listener.
ResourceGranted byAllowed verbs
SecretsVersioned gateway role in the gateway namespace, such as gloo-mesh-gatewaysget, watch, list
Restrict default permissions

You can restrict the permissions for select Gloo components. By default, Gloo components use Kubernetes cluster roles and cluster role bindings to get access to resources on a cluster-wide level. To restrict these permissions, configure the namespacedRbac Helm option for select Gloo components during your Gloo installation or upgrade.
  • Default behavior without namespacedRbac: Gloo creates separate cluster roles and cluster role bindings per component for the resources that can and cannot be restricted to namespaces. For resources that can be restricted by namespace, the cluster role and cluster role bindings have *-namespaced in their name.
  • With namespacedRbac: Gloo creates roles and role bindings per component for the restricted resources in the selected namespaces, such as gloo-mesh. These roles and role bindings have *-namespaced in their name, such as gloo-mesh-mgmt-server-gloo-platform-gloo-mesh-namespaced. Gloo still creates a cluster role and cluster role binding per component for all the other resources that the component needs access to.
Gloo components that you can restrict access for:
  • Gloo management server
  • Gloo agent
  • Gloo UI
  • External auth service
Resources that you can restrict access to:
  • Kubernetes secrets
At a minimum, you must allow access to the following namespaces for each Gloo component:
  • gloo-mesh, or if you used a different name, the namespace that your management server, UI, and agent are deployed to.
  • The namespace where your add-on components, such as the external auth service, rate limiter, or developer portal, are deployed to. Depending on your setup, you might have all of these Gloo components together in a single namespace, which defaults to gloo-mesh, or a separate namespace.
  1. Check the Helm releases in your cluster. Depending on your installation method, you either have only a main installation release (such as gloo-platform), or a main installation and a separate add-ons release (such as gloo-agent-addons), in addition to your CRDs release.
    helm ls -A
  2. Get your current installation values.
    • If you have only one release for your installation, get those values. Note that your Helm release might have a different name.
      helm get values gloo-platform -n gloo-mesh -o yaml > gloo-single.yaml
open gloo-single.yaml
    • If you have a separate add-ons release, get those values.
      helm get values gloo-agent-addons -n gloo-mesh -o yaml > gloo-agent-addons.yaml
open gloo-agent-addons.yaml
  3. Add the following settings in the sections for each component that you want to restrict Kubernetes RBAC permissions to namespaces. Keep in mind the following points:
    • You can restrict only Kubernetes secrets.
    • You must include the namespaces that the Gloo components are deployed to, such as gloo-mesh. If use a different namespace, or if you maintain a separate add-ons namespace, modify these values.
    • You add these values along with all the rest of the values in your Helm configuration file.
    glooMgmtServer:
  enabled: true
  namespacedRbac:
  - resources:
    - secrets
    namespaces:
    - gloo-mesh
...
    glooAgent:
  enabled: true
  namespacedRbac:
  - resources:
    - secrets
    namespaces:
    - gloo-mesh
...
    glooUi:
  enabled: true
  namespacedRbac:
  - resources:
    - secrets
    namespaces:
    - gloo-mesh
    extAuthService:
  enabled: true
  extAuth:
    namespacedRbac:
    - resources:
      - secrets
      namespaces:
      - gloo-mesh
...
    clickhouse:
  enabled: true
glooAgent:
  enabled: true
  relay:
    serverAddress: gloo-mesh-mgmt-server.gloo-mesh:9900
  namespacedRbac:
  - resources:
    - secrets
    namespaces:
    - gloo-mesh
glooMgmtServer:
  serviceType: ClusterIP
  registerCluster: true
  enabled: true
  createGlobalWorkspace: true
  namespacedRbac:
  - resources:
    - secrets
    namespaces:
    - gloo-mesh
glooUi:
  enabled: true
  namespacedRbac:
  - resources:
    - secrets
    namespaces:
    - gloo-mesh
istioInstallations:
  controlPlane:
    enabled: true
    installations:
      - istioOperatorSpec:
          meshConfig:
            accessLogFile: /dev/stdout
            accessLogEncoding: JSON
            accessLogFormat: |
              {
                "timestamp": "%START_TIME%",
                "server_name": "%REQ(:AUTHORITY)%",
                "response_duration": "%DURATION%",
                "request_command": "%REQ(:METHOD)%",
                "request_uri": "%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%",
                "request_protocol": "%PROTOCOL%",
                "status_code": "%RESPONSE_CODE%",
                "client_address": "%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%",
                "x_forwarded_for": "%REQ(X-FORWARDED-FOR)%",
                "bytes_sent": "%BYTES_SENT%",
                "bytes_received": "%BYTES_RECEIVED%",
                "user_agent": "%REQ(USER-AGENT)%",
                "downstream_local_address": "%DOWNSTREAM_LOCAL_ADDRESS%",
                "requested_server_name": "%REQUESTED_SERVER_NAME%",
                "request_id": "%REQ(X-REQUEST-ID)%",
                "response_flags": "%RESPONSE_FLAGS%",
                "route_name": "%ROUTE_NAME%",
                "upstream_cluster": "%UPSTREAM_CLUSTER%",
                "upstream_host": "%UPSTREAM_HOST%",
                "upstream_local_address": "%UPSTREAM_LOCAL_ADDRESS%",
                "upstream_service_time": "%REQ(x-envoy-upstream-service-time)%",
                "upstream_transport_failure_reason": "%UPSTREAM_TRANSPORT_FAILURE_REASON%",
                "correlation_id": "%REQ(X-CORRELATION-ID)%",
                "user_id": "%DYNAMIC_METADATA(envoy.filters.http.ext_authz:userId)%",
                "api_id": "%DYNAMIC_METADATA(io.solo.gloo.apimanagement:api_id)%",
                "api_product_id": "%DYNAMIC_METADATA(io.solo.gloo.apimanagement:api_product_id)%",
                "api_product_name": "%DYNAMIC_METADATA(io.solo.gloo.apimanagement:api_product_name)%",
                "usage_plan": "%DYNAMIC_METADATA(envoy.filters.http.ext_authz:usagePlan)%",
                "custom_metadata": "%DYNAMIC_METADATA(io.solo.gloo.apimanagement:custom_metadata)%"
              }
        revision: auto
  enabled: true
  northSouthGateways:
    - enabled: true
      installations:
        - gatewayRevision: auto
          istioOperatorSpec: {}
      name: istio-ingressgateway
telemetryCollector:
  presets:
    logsCollection:
      enabled: true
      storeCheckpoints: true
  enabled: true
  config:
    exporters:
      otlp:
        endpoint: gloo-telemetry-gateway.gloo-mesh:4317
telemetryCollectorCustomization: 
  pipelines:
    logs/istio_access_logs:
      enabled: true
prometheus:
  enabled: true
redis:
  deployment:
    enabled: true
telemetryGateway:
  enabled: true
  service:
    type: ClusterIP
  extraEnvs:
  - name: CLICKHOUSE_PASSWORD
    valueFrom:
      secretKeyRef:
        key: password
        name: clickhouse-auth
telemetryGatewayCustomization:
  pipelines:
    logs/clickhouse:
      enabled: true
  extraExporters:
    clickhouse:
      password: "${env:CLICKHOUSE_PASSWORD}"
extAuthService:
  enabled: true
  extAuth:
    namespacedRbac:
    - resources:
      - secrets
      namespaces:
      - gloo-mesh
    apiKeyStorage:
      name: redis
      enabled: true
      config:
        host: "redis.gloo-mesh:6379"
        db: 0
      secretKey: "ThisIsSecret"
glooPortalServer:
  enabled: true
  apiKeyStorage:
    redis:
      enabled: true
      address: redis.gloo-mesh:6379
    configPath: /etc/redis-client-config/config.yaml
    secretKey: "ThisIsSecret"
rateLimiter:
  enabled: true
  4. Upgrade your Helm release with the namespaced RBAC restrictions. Be sure to include the Helm values file ($VALUES_FILE) that you previously created and the Gloo version of your current installation ($GLOO_VERSION).
    • If you have only one release for your installation, upgrade the gloo-platform release. Note that your Helm release might have a different name.
      helm upgrade -i gloo-platform gloo-platform/gloo-platform \
   --namespace gloo-mesh \
   --create-namespace \
   --values $VALUES_FILE \
   --version $GLOO_VERSION
    • If you have a separate add-ons release, upgrade the gloo-agent-addons release.
      helm upgrade -i gloo-agent-addons gloo-platform/gloo-platform \
   --namespace gloo-mesh \
   --create-namespace \
   --values $VALUES_FILE \
   --version $GLOO_VERSION
  5. Verify that your Gloo environment is healthy. Note that this check might take a few seconds to complete.
    meshctl check
  6. Confirm that the permissions are correct by checking the RBAC setup.
Gloo Mesh (Gloo Platform APIs) scalability