Gloo permissions

Review the default Kubernetes role-based access control (RBAC) permissions of Gloo and Gloo-deployed components.

When you install a Gloo product, you deploy several core and addon components, such as the management server, agent, and external auth service. For more information about the components, see Platform architecture.

These components might come with a default set of permissions granted by Kubernetes RBAC cluster roles and roles. Some components that do not need Kubernetes permissions, such as Redis or Clickhouse databases, do not have Kubernetes RBAC resources. Other components, such as the management server, agent, and UI, might have several cluster roles that are used to scope certain permissions on sensitive resources such as secrets to namespaces.

Check the RBAC setup

In Kubernetes RBAC, roles and cluster roles configure a set of permissions, such as to view or modify Kubernetes objects. Role bindings and cluster role bindings bind these permissions to a subject in Kubernetes, such as a service account. For more information, see the Kubernetes docs. Most Gloo components have their own Kubernetes service accounts, roles or cluster roles, and role bindings or cluster role bindings.

To check the RBAC setup for each component, you can run the following commands. Alternatively, you can check the permissions tables for each component in Review Gloo permissions.

When you install Gloo Mesh with Helm, you set a release name, such as the default gloo-platform. If you used a different release name, update the commands accordingly, such as -l app.kubernetes.io/instance=gloo-platform to -l app.kubernetes.io/instance=$RELEASE.

  1. Get the Kubernetes RBAC resources for the Gloo component that you want to check.

    kubectl get clusterroles,clusterrolebindings,roles,rolebindings,serviceaccounts -A -l app=gloo-mesh-mgmt-server
    
    kubectl get clusterroles,clusterrolebindings,roles,rolebindings,serviceaccounts -A -l app=gloo-mesh-agent
    
    kubectl get clusterroles,clusterrolebindings,roles,rolebindings,serviceaccounts -A -l app=gloo-mesh-ui
    
    kubectl get clusterroles,clusterrolebindings,roles,rolebindings,serviceaccounts -A -l app=prometheus
    
    kubectl get clusterroles,clusterrolebindings,roles,rolebindings,serviceaccounts -A -l app=ext-auth-service
    
    kubectl get clusterroles,clusterrolebindings,roles,rolebindings,serviceaccounts -A -l app=rate-limiter
    
    kubectl get clusterroles,clusterrolebindings,roles,rolebindings,serviceaccounts -A -l app=gloo-mesh-portal-server
    

    For optional components that are installed by Gloo Gateway via Helm, such as the OpenTelemetry (OTel) gateways and collectors.

    kubectl get clusterroles,clusterrolebindings,roles,rolebindings,serviceaccounts -A -l app.kubernetes.io/name=telemetryCollector
    

    For the Istio operator used by Gloo's Istio Lifeycle Manager.

    kubectl get clusterroles,clusterrolebindings,roles,rolebindings,serviceaccounts -A -l gloo.solo.io/parent_name=gloo-platform
    

    For instances installed by Gloo's Istio Lifecycle Manager, such as istiod and the Istio gateway controller.

    kubectl get clusterroles,clusterrolebindings,roles,rolebindings,serviceaccounts -A -l install.operator.istio.io/owning-resource=gloo-platform
    

    For the Istio ingress gateway.

    kubectl get clusterroles,clusterrolebindings,roles,rolebindings,serviceaccounts -A -l install.operator.istio.io/owning-resource=istio-ingressgateway-1-18-2
    
  2. Check the role binding or cluster role binding for the component. Make sure that the role or cluster role in the Role section and the service account in the Subjects section match the names for the Gloo component in the output from the previous step.

    kubectl describe clusterrolebinding gloo-mesh-mgmt-server-gloo-platform
    

    Example output: The cluster role binding grants the gloo-mesh-mgmt-server service account access in the gloo-mesh namespace the gloo-mesh-mgmt-server-gloo-platform cluster role.

    Role:
        Kind:  ClusterRole
        Name:  gloo-mesh-mgmt-server-gloo-platform
    Subjects:
        Kind            Name                   Namespace
        ----            ----                   ---------
        ServiceAccount  gloo-mesh-mgmt-server  gloo-mesh
    
  3. Get the details of a cluster role or role. Check the PolicyRule in each role or cluster role to review specific permissions.

    The following example shows how the management server can have both roles and cluster roles if you restrict its permissions. Some other Gloo components might have only roles or cluster roles, depending on your setup.

    kubectl describe role -n gloo-mesh gloo-mesh-mgmt-server-gloo-platform-gloo-mesh-namespaced
    kubectl describe role -n gloo-mesh-addons gloo-mesh-mgmt-server-gloo-platform-gloo-mesh-namespaced
    

    Example output: The roles grant the Gloo management server access to Kubernetes secrets. Because the roles that you described are scoped to the gloo-mesh and gloo-mesh-addons namespaces, the management server can access secrets in the those namespaces only.

    PolicyRule:
      Resources       Non-Resource URLs  Resource Names  Verbs
      ---------       -----------------  --------------  -----
      secrets         []                 []              [*]
      secrets/status  []                 []              [get, update]
    
    kubectl describe clusterrole gloo-mesh-mgmt-server-gloo-platform
    

    Example output: The default Kubernetes RBAC for the management server normally includes access to secrets. However, in this example, you restricted access to only the gloo-mesh and gloo-mesh-addon namespaces through roles and role bindings. Therefore, the cluster role no longer has access to secrets.

    PolicyRule:
      Resources                                                                 Non-Resource URLs  Resource Names  Verbs
      ---------                                                                 -----------------  --------------  -----
      configmaps                                                                []                 []              [*]
      namespaces                                                                []                 []              [*]
      pods                                                                      []                 []              [*]
      serviceaccounts                                                           []                 []              [*]
      services                                                                  []                 []              [*]
      mutatingwebhookconfigurations.admissionregistration.k8s.io                []                 []              [*]
      validatingwebhookconfigurations.admissionregistration.k8s.io              []                 []              [*]
      apidocs.apimanagement.gloo.solo.io                                        []                 []              [*]
      deployments.apps                                                          []                 []              [*]
      ciliumnetworkpolicies.cilium.io                                           []                 []              [*]
      leases.coordination.k8s.io                                                []                 []              [*]
      authconfigs.extauth.solo.io                                               []                 []              [*]
      gateways.gateway.networking.k8s.io                                        []                 []              [*]
      cloudresources.infrastructure.gloo.solo.io                                []                 []              [*]
      istiooperators.install.istio.io                                           []                 []              [*]
      issuedcertificates.internal.gloo.solo.io                                  []                 []              [*]
      portalconfigs.internal.gloo.solo.io                                       []                 []              [*]
      spireregistrationentries.internal.gloo.solo.io                            []                 []              [*]
      xdsconfigs.internal.gloo.solo.io                                          []                 []              [*]
      destinationrules.networking.istio.io                                      []                 []              [*]
      envoyfilters.networking.istio.io                                          []                 []              [*]
      gateways.networking.istio.io                                              []                 []              [*]
      serviceentries.networking.istio.io                                        []                 []              [*]
      sidecars.networking.istio.io                                              []                 []              [*]
      virtualservices.networking.istio.io                                       []                 []              [*]
      workloadentries.networking.istio.io                                       []                 []              [*]
      workloadgroups.networking.istio.io                                        []                 []              [*]
      networkpolicies.networking.k8s.io                                         []                 []              [*]
      ratelimitconfigs.ratelimit.solo.io                                        []                 []              [*]
      clusterrolebindings.rbac.authorization.k8s.io                             []                 []              [*]
      clusterroles.rbac.authorization.k8s.io                                    []                 []              [*]
      authorizationpolicies.security.istio.io                                   []                 []              [*]
      peerauthentications.security.istio.io                                     []                 []              [*]
      nodes                                                                     []                 []              [get list watch]
      dashboards.admin.gloo.solo.io                                             []                 []              [get list watch]
      extauthservers.admin.gloo.solo.io                                         []                 []              [get list watch]
      gatewaylifecyclemanagers.admin.gloo.solo.io                               []                 []              [get list watch]
      istiolifecyclemanagers.admin.gloo.solo.io                                 []                 []              [get list watch]
      kubernetesclusters.admin.gloo.solo.io                                     []                 []              [get list watch]
      ratelimitserverconfigs.admin.gloo.solo.io                                 []                 []              [get list watch]
      ratelimitserversettings.admin.gloo.solo.io                                []                 []              [get list watch]
      roottrustpolicies.admin.gloo.solo.io                                      []                 []              [get list watch]
      waypointlifecyclemanagers.admin.gloo.solo.io                              []                 []              [get list watch]
      workspaces.admin.gloo.solo.io                                             []                 []              [get list watch]
      workspacesettings.admin.gloo.solo.io                                      []                 []              [get list watch]
      customresourcedefinitions.apiextensions.k8s.io                            []                 []              [get list watch]
      apischemadiscoveries.apimanagement.gloo.solo.io                           []                 []              [get list watch]
      graphqlresolvermaps.apimanagement.gloo.solo.io                            []                 []              [get list watch]
      graphqlschemas.apimanagement.gloo.solo.io                                 []                 []              [get list watch]
      graphqlstitchedschemas.apimanagement.gloo.solo.io                         []                 []              [get list watch]
      portalgroups.apimanagement.gloo.solo.io                                   []                 []              [get list watch]
      portals.apimanagement.gloo.solo.io                                        []                 []              [get list watch]
      daemonsets.apps                                                           []                 []              [get list watch]
      statefulsets.apps                                                         []                 []              [get list watch]
      wasmdeploymentpolicies.extensions.policy.gloo.solo.io                     []                 []              [get list watch]
      gatewayclasses.gateway.networking.k8s.io                                  []                 []              [get list watch]
      grpcroutes.gateway.networking.k8s.io                                      []                 []              [get list watch]
      httproutes.gateway.networking.k8s.io                                      []                 []              [get list watch]
      referencegrants.gateway.networking.k8s.io                                 []                 []              [get list watch]
      tcproutes.gateway.networking.k8s.io                                       []                 []              [get list watch]
      tlsroutes.gateway.networking.k8s.io                                       []                 []              [get list watch]
      udproutes.gateway.networking.k8s.io                                       []                 []              [get list watch]
      cloudproviders.infrastructure.gloo.solo.io                                []                 []              [get list watch]
      certificaterequests.internal.gloo.solo.io                                 []                 []              [get list watch]
      discoveredcnis.internal.gloo.solo.io                                      []                 []              [get list watch]
      discoveredgateways.internal.gloo.solo.io                                  []                 []              [get list watch]
      meshes.internal.gloo.solo.io                                              []                 []              [get list watch]
      externalendpoints.networking.gloo.solo.io                                 []                 []              [get list watch]
      externalservices.networking.gloo.solo.io                                  []                 []              [get list watch]
      externalworkloads.networking.gloo.solo.io                                 []                 []              [get list watch]
      routetables.networking.gloo.solo.io                                       []                 []              [get list watch]
      virtualdestinations.networking.gloo.solo.io                               []                 []              [get list watch]
      virtualgateways.networking.gloo.solo.io                                   []                 []              [get list watch]
      accesslogpolicies.observability.policy.gloo.solo.io                       []                 []              [get list watch]
      rolebindings.rbac.authorization.k8s.io                                    []                 []              [get list watch]
      roles.rbac.authorization.k8s.io                                           []                 []              [get list watch]
      activehealthcheckpolicies.resilience.policy.gloo.solo.io                  []                 []              [get list watch]
      connectionpolicies.resilience.policy.gloo.solo.io                         []                 []              [get list watch]
      failoverpolicies.resilience.policy.gloo.solo.io                           []                 []              [get list watch]
      faultinjectionpolicies.resilience.policy.gloo.solo.io                     []                 []              [get list watch]
      graphqlpersistedquerycachepolicies.resilience.policy.gloo.solo.io         []                 []              [get list watch]
      listenerconnectionpolicies.resilience.policy.gloo.solo.io                 []                 []              [get list watch]
      outlierdetectionpolicies.resilience.policy.gloo.solo.io                   []                 []              [get list watch]
      retrytimeoutpolicies.resilience.policy.gloo.solo.io                       []                 []              [get list watch]
      trimproxyconfigpolicies.resilience.policy.gloo.solo.io                    []                 []              [get list watch]
      accesspolicies.security.policy.gloo.solo.io                               []                 []              [get list watch]
      clienttlspolicies.security.policy.gloo.solo.io                            []                 []              [get list watch]
      corspolicies.security.policy.gloo.solo.io                                 []                 []              [get list watch]
      csrfpolicies.security.policy.gloo.solo.io                                 []                 []              [get list watch]
      dlppolicies.security.policy.gloo.solo.io                                  []                 []              [get list watch]
      extauthpolicies.security.policy.gloo.solo.io                              []                 []              [get list watch]
      graphqlallowedquerypolicies.security.policy.gloo.solo.io                  []                 []              [get list watch]
      jwtpolicies.security.policy.gloo.solo.io                                  []                 []              [get list watch]
      wafpolicies.security.policy.gloo.solo.io                                  []                 []              [get list watch]
      headermanipulationpolicies.trafficcontrol.policy.gloo.solo.io             []                 []              [get list watch]
      httpbufferpolicies.trafficcontrol.policy.gloo.solo.io                     []                 []              [get list watch]
      loadbalancerpolicies.trafficcontrol.policy.gloo.solo.io                   []                 []              [get list watch]
      mirrorpolicies.trafficcontrol.policy.gloo.solo.io                         []                 []              [get list watch]
      proxyprotocolpolicies.trafficcontrol.policy.gloo.solo.io                  []                 []              [get list watch]
      ratelimitclientconfigs.trafficcontrol.policy.gloo.solo.io                 []                 []              [get list watch]
      ratelimitpolicies.trafficcontrol.policy.gloo.solo.io                      []                 []              [get list watch]
      transformationpolicies.trafficcontrol.policy.gloo.solo.io                 []                 []              [get list watch]
      namespaces/status                                                         []                 []              [get update]
      nodes/status                                                              []                 []              [get update]
      serviceaccounts/status                                                    []                 []              [get update]
      services/status                                                           []                 []              [get update]
      dashboards.admin.gloo.solo.io/status                                      []                 []              [get update]
      extauthservers.admin.gloo.solo.io/status                                  []                 []              [get update]
      gatewaylifecyclemanagers.admin.gloo.solo.io/status                        []                 []              [get update]
      istiolifecyclemanagers.admin.gloo.solo.io/status                          []                 []              [get update]
      kubernetesclusters.admin.gloo.solo.io/status                              []                 []              [get update]
      ratelimitserverconfigs.admin.gloo.solo.io/status                          []                 []              [get update]
      ratelimitserversettings.admin.gloo.solo.io/status                         []                 []              [get update]
      roottrustpolicies.admin.gloo.solo.io/status                               []                 []              [get update]
      waypointlifecyclemanagers.admin.gloo.solo.io/status                       []                 []              [get update]
      workspaces.admin.gloo.solo.io/status                                      []                 []              [get update]
      workspacesettings.admin.gloo.solo.io/status                               []                 []              [get update]
      apidocs.apimanagement.gloo.solo.io/status                                 []                 []              [get update]
      apischemadiscoveries.apimanagement.gloo.solo.io/status                    []                 []              [get update]
      graphqlresolvermaps.apimanagement.gloo.solo.io/status                     []                 []              [get update]
      graphqlschemas.apimanagement.gloo.solo.io/status                          []                 []              [get update]
      graphqlstitchedschemas.apimanagement.gloo.solo.io/status                  []                 []              [get update]
      portalgroups.apimanagement.gloo.solo.io/status                            []                 []              [get update]
      portals.apimanagement.gloo.solo.io/status                                 []                 []              [get update]
      daemonsets.apps/status                                                    []                 []              [get update]
      deployments.apps/status                                                   []                 []              [get update]
      statefulsets.apps/status                                                  []                 []              [get update]
      ciliumnetworkpolicies.cilium.io/status                                    []                 []              [get update]
      authconfigs.extauth.solo.io/status                                        []                 []              [get update]
      wasmdeploymentpolicies.extensions.policy.gloo.solo.io/status              []                 []              [get update]
      gatewayclasses.gateway.networking.k8s.io/status                           []                 []              [get update]
      gateways.gateway.networking.k8s.io/status                                 []                 []              [get update]
      grpcroutes.gateway.networking.k8s.io/status                               []                 []              [get update]
      httproutes.gateway.networking.k8s.io/status                               []                 []              [get update]
      referencegrants.gateway.networking.k8s.io/status                          []                 []              [get update]
      tcproutes.gateway.networking.k8s.io/status                                []                 []              [get update]
      tlsroutes.gateway.networking.k8s.io/status                                []                 []              [get update]
      udproutes.gateway.networking.k8s.io/status                                []                 []              [get update]
      cloudproviders.infrastructure.gloo.solo.io/status                         []                 []              [get update]
      cloudresources.infrastructure.gloo.solo.io/status                         []                 []              [get update]
      istiooperators.install.istio.io/status                                    []                 []              [get update]
      certificaterequests.internal.gloo.solo.io/status                          []                 []              [get update]
      discoveredcnis.internal.gloo.solo.io/status                               []                 []              [get update]
      discoveredgateways.internal.gloo.solo.io/status                           []                 []              [get update]
      issuedcertificates.internal.gloo.solo.io/status                           []                 []              [get update]
      meshes.internal.gloo.solo.io/status                                       []                 []              [get update]
      portalconfigs.internal.gloo.solo.io/status                                []                 []              [get update]
      spireregistrationentries.internal.gloo.solo.io/status                     []                 []              [get update]
      externalendpoints.networking.gloo.solo.io/status                          []                 []              [get update]
      externalservices.networking.gloo.solo.io/status                           []                 []              [get update]
      externalworkloads.networking.gloo.solo.io/status                          []                 []              [get update]
      routetables.networking.gloo.solo.io/status                                []                 []              [get update]
      virtualdestinations.networking.gloo.solo.io/status                        []                 []              [get update]
      virtualgateways.networking.gloo.solo.io/status                            []                 []              [get update]
      destinationrules.networking.istio.io/status                               []                 []              [get update]
      envoyfilters.networking.istio.io/status                                   []                 []              [get update]
      gateways.networking.istio.io/status                                       []                 []              [get update]
      serviceentries.networking.istio.io/status                                 []                 []              [get update]
      sidecars.networking.istio.io/status                                       []                 []              [get update]
      virtualservices.networking.istio.io/status                                []                 []              [get update]
      workloadentries.networking.istio.io/status                                []                 []              [get update]
      accesslogpolicies.observability.policy.gloo.solo.io/status                []                 []              [get update]
      ratelimitconfigs.ratelimit.solo.io/status                                 []                 []              [get update]
      clusterrolebindings.rbac.authorization.k8s.io/status                      []                 []              [get update]
      clusterroles.rbac.authorization.k8s.io/status                             []                 []              [get update]
      rolebindings.rbac.authorization.k8s.io/status                             []                 []              [get update]
      roles.rbac.authorization.k8s.io/status                                    []                 []              [get update]
      activehealthcheckpolicies.resilience.policy.gloo.solo.io/status           []                 []              [get update]
      connectionpolicies.resilience.policy.gloo.solo.io/status                  []                 []              [get update]
      failoverpolicies.resilience.policy.gloo.solo.io/status                    []                 []              [get update]
      faultinjectionpolicies.resilience.policy.gloo.solo.io/status              []                 []              [get update]
      graphqlpersistedquerycachepolicies.resilience.policy.gloo.solo.io/status  []                 []              [get update]
      listenerconnectionpolicies.resilience.policy.gloo.solo.io/status          []                 []              [get update]
      outlierdetectionpolicies.resilience.policy.gloo.solo.io/status            []                 []              [get update]
      retrytimeoutpolicies.resilience.policy.gloo.solo.io/status                []                 []              [get update]
      trimproxyconfigpolicies.resilience.policy.gloo.solo.io/status             []                 []              [get update]
      authorizationpolicies.security.istio.io/status                            []                 []              [get update]
      peerauthentications.security.istio.io/status                              []                 []              [get update]
      accesspolicies.security.policy.gloo.solo.io/status                        []                 []              [get update]
      clienttlspolicies.security.policy.gloo.solo.io/status                     []                 []              [get update]
      corspolicies.security.policy.gloo.solo.io/status                          []                 []              [get update]
      csrfpolicies.security.policy.gloo.solo.io/status                          []                 []              [get update]
      dlppolicies.security.policy.gloo.solo.io/status                           []                 []              [get update]
      extauthpolicies.security.policy.gloo.solo.io/status                       []                 []              [get update]
      graphqlallowedquerypolicies.security.policy.gloo.solo.io/status           []                 []              [get update]
      jwtpolicies.security.policy.gloo.solo.io/status                           []                 []              [get update]
      wafpolicies.security.policy.gloo.solo.io/status                           []                 []              [get update]
      headermanipulationpolicies.trafficcontrol.policy.gloo.solo.io/status      []                 []              [get update]
      httpbufferpolicies.trafficcontrol.policy.gloo.solo.io/status              []                 []              [get update]
      loadbalancerpolicies.trafficcontrol.policy.gloo.solo.io/status            []                 []              [get update]
      mirrorpolicies.trafficcontrol.policy.gloo.solo.io/status                  []                 []              [get update]
      proxyprotocolpolicies.trafficcontrol.policy.gloo.solo.io/status           []                 []              [get update]
      ratelimitclientconfigs.trafficcontrol.policy.gloo.solo.io/status          []                 []              [get update]
      ratelimitpolicies.trafficcontrol.policy.gloo.solo.io/status               []                 []              [get update]
      transformationpolicies.trafficcontrol.policy.gloo.solo.io/status          []                 []              [get update]
    
  4. Repeat the previous step for each component that you want to check. The following commands check all roles and cluster roles per component and pipe the output to jq to get only the PolicyRules. Alternatively, you can check the permissions tables for each component in Review Gloo permissions.

    kubectl get clusterrole,role -l app=gloo-mesh-mgmt-server -A -o json | jq -r '.items[] | {Name: .metadata.name, PolicyRules: .rules} | select(.PolicyRules != null)'
    
    kubectl get clusterrole,role -l app=gloo-mesh-agent -A -o json | jq -r '.items[] | {Name: .metadata.name, PolicyRules: .rules} | select(.PolicyRules != null)'
    
    kubectl get clusterrole,role -l app=gloo-mesh-ui -A -o json | jq -r '.items[] | {Name: .metadata.name, PolicyRules: .rules} | select(.PolicyRules != null)'
    
    kubectl get clusterrole,role -l app=prometheus -A -o json | jq -r '.items[] | {Name: .metadata.name, PolicyRules: .rules} | select(.PolicyRules != null)'
    
    kubectl get clusterrole,role -l app=ext-auth-service -A -o json | jq -r '.items[] | {Name: .metadata.name, PolicyRules: .rules} | select(.PolicyRules != null)'
    
    kubectl get clusterrole,role -l app=rate-limiter -A -o json | jq -r '.items[] | {Name: .metadata.name, PolicyRules: .rules} | select(.PolicyRules != null)'
    
    kubectl get clusterrole,role -l app=gloo-mesh-portal-server -A -o json | jq -r '.items[] | {Name: .metadata.name, PolicyRules: .rules} | select(.PolicyRules != null)'
    

    For optional components that are installed by Gloo Platform via Helm, such as OpenTelemetry (OTel) gateways and collectors.

    kubectl get clusterrole,role -l app.kubernetes.io/instance=gloo-platform -A -o json | jq -r '.items[] | {Name: .metadata.name, PolicyRules: .rules} | select(.PolicyRules != null)'
    

    For the Istio operator used by Gloo's Istio Lifeycle Manager.

    kubectl get clusterrole,role -l gloo.solo.io/parent_name=gloo-platform -A -o json | jq -r '.items[] | {Name: .metadata.name, PolicyRules: .rules} | select(.PolicyRules != null)'
    

    For components that are installed by the Gloo Istio Lifecycle Manager, such as istiod and the Istio gateway controller.

    kubectl get clusterrole,role -l install.operator.istio.io/owning-resource=gloo-platform -A -o json | jq -r '.items[] | {Name: .metadata.name, PolicyRules: .rules} | select(.PolicyRules != null)'
    
    kubectl get clusterrole,role -l operator.istio.io/component=IngressGateways -A -o json | jq -r '.items[] | {Name: .metadata.name, PolicyRules: .rules} | select(.PolicyRules != null)'
    

    Example output:

    {
      "Name": "istio-ingressgateway-1-18-2-sds",
      "PolicyRules": [
        {
          "apiGroups": [
            ""
          ],
          "resources": [
            "secrets"
          ],
          "verbs": [
            "get",
            "watch",
            "list"
          ]
        }
      ]
    }
    

Review Gloo permissions

Review the following tables that describe the default permissions by Gloo component. For steps to check these permissions in your cluster setup, see Check default RBAC setup. For steps to modify these permission, see Restrict default permissions.

The Gloo management server needs access to many Kubernetes and all Gloo custom resources to manage Gloo resources. These actions include writing Gloo resources, managing the status of Gloo resources, writing output objects for Gloo resources such as translated Istio objects, and performing leader election when you have multiple server replicas.

Resource Granted by Allowed verbs
configmaps gloo-mesh-mgmt-server-gloo-mesh cluster role * (all)
namespaces gloo-mesh-mgmt-server-gloo-mesh cluster role * (all)
pods gloo-mesh-mgmt-server-gloo-mesh cluster role * (all)
serviceaccounts gloo-mesh-mgmt-server-gloo-mesh cluster role * (all)
services gloo-mesh-mgmt-server-gloo-mesh cluster role * (all)
mutatingwebhookconfigurations.admissionregistration.k8s.io gloo-mesh-mgmt-server-gloo-mesh cluster role * (all)
validatingwebhookconfigurations.admissionregistration.k8s.io gloo-mesh-mgmt-server-gloo-mesh cluster role * (all)
apidocs.apimanagement.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role * (all)
deployments.apps gloo-mesh-mgmt-server-gloo-mesh cluster role * (all)
ciliumnetworkpolicies.cilium.io gloo-mesh-mgmt-server-gloo-mesh cluster role * (all)
leases.coordination.k8s.io gloo-mesh-mgmt-server-gloo-mesh cluster role * (all)
authconfigs.extauth.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role * (all)
gateways.gateway.networking.k8s.io gloo-mesh-mgmt-server-gloo-mesh cluster role * (all)
cloudresources.infrastructure.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role * (all)
istiooperators.install.istio.io gloo-mesh-mgmt-server-gloo-mesh cluster role * (all)
issuedcertificates.internal.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role * (all)
portalconfigs.internal.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role * (all)
spireregistrationentries.internal.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role * (all)
xdsconfigs.internal.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role * (all)
destinationrules.networking.istio.io gloo-mesh-mgmt-server-gloo-mesh cluster role * (all)
envoyfilters.networking.istio.io gloo-mesh-mgmt-server-gloo-mesh cluster role * (all)
gateways.networking.istio.io gloo-mesh-mgmt-server-gloo-mesh cluster role * (all)
serviceentries.networking.istio.io gloo-mesh-mgmt-server-gloo-mesh cluster role * (all)
sidecars.networking.istio.io gloo-mesh-mgmt-server-gloo-mesh cluster role * (all)
virtualservices.networking.istio.io gloo-mesh-mgmt-server-gloo-mesh cluster role * (all)
workloadentries.networking.istio.io gloo-mesh-mgmt-server-gloo-mesh cluster role * (all)
workloadgroups.networking.istio.io gloo-mesh-mgmt-server-gloo-mesh cluster role * (all)
networkpolicies.networking.k8s.io gloo-mesh-mgmt-server-gloo-mesh cluster role * (all)
ratelimitconfigs.ratelimit.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role * (all)
clusterrolebindings.rbac.authorization.k8s.io gloo-mesh-mgmt-server-gloo-mesh cluster role * (all)
clusterroles.rbac.authorization.k8s.io gloo-mesh-mgmt-server-gloo-mesh cluster role * (all)
authorizationpolicies.security.istio.io gloo-mesh-mgmt-server-gloo-mesh cluster role * (all)
peerauthentications.security.istio.io gloo-mesh-mgmt-server-gloo-mesh cluster role * (all)
nodes gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
dashboards.admin.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
extauthservers.admin.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
gatewaylifecyclemanagers.admin.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
istiolifecyclemanagers.admin.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
kubernetesclusters.admin.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
ratelimitserverconfigs.admin.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
ratelimitserversettings.admin.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
roottrustpolicies.admin.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
waypointlifecyclemanagers.admin.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
workspaces.admin.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
workspacesettings.admin.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
customresourcedefinitions.apiextensions.k8s.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
apischemadiscoveries.apimanagement.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
graphqlresolvermaps.apimanagement.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
graphqlschemas.apimanagement.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
graphqlstitchedschemas.apimanagement.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
portalgroups.apimanagement.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
portals.apimanagement.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
daemonsets.apps gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
statefulsets.apps gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
wasmdeploymentpolicies.extensions.policy.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
gatewayclasses.gateway.networking.k8s.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
grpcroutes.gateway.networking.k8s.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
httproutes.gateway.networking.k8s.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
referencegrants.gateway.networking.k8s.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
tcproutes.gateway.networking.k8s.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
tlsroutes.gateway.networking.k8s.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
udproutes.gateway.networking.k8s.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
cloudproviders.infrastructure.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
certificaterequests.internal.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
discoveredcnis.internal.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
discoveredgateways.internal.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
meshes.internal.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
externalendpoints.networking.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
externalservices.networking.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
externalworkloads.networking.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
routetables.networking.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
virtualdestinations.networking.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
virtualgateways.networking.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
accesslogpolicies.observability.policy.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
rolebindings.rbac.authorization.k8s.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
roles.rbac.authorization.k8s.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
activehealthcheckpolicies.resilience.policy.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
connectionpolicies.resilience.policy.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
failoverpolicies.resilience.policy.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
faultinjectionpolicies.resilience.policy.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
graphqlpersistedquerycachepolicies.resilience.policy.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
listenerconnectionpolicies.resilience.policy.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
outlierdetectionpolicies.resilience.policy.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
retrytimeoutpolicies.resilience.policy.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
trimproxyconfigpolicies.resilience.policy.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
accesspolicies.security.policy.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
clienttlspolicies.security.policy.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
corspolicies.security.policy.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
csrfpolicies.security.policy.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
dlppolicies.security.policy.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
extauthpolicies.security.policy.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
graphqlallowedquerypolicies.security.policy.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
jwtpolicies.security.policy.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
wafpolicies.security.policy.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
headermanipulationpolicies.trafficcontrol.policy.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
httpbufferpolicies.trafficcontrol.policy.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
loadbalancerpolicies.trafficcontrol.policy.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
mirrorpolicies.trafficcontrol.policy.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
proxyprotocolpolicies.trafficcontrol.policy.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
ratelimitclientconfigs.trafficcontrol.policy.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
ratelimitpolicies.trafficcontrol.policy.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
transformationpolicies.trafficcontrol.policy.gloo.solo.io gloo-mesh-mgmt-server-gloo-mesh cluster role get, list, watch
namespaces/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
nodes/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
serviceaccounts/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
services/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
dashboards.admin.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
extauthservers.admin.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
gatewaylifecyclemanagers.admin.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
istiolifecyclemanagers.admin.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
kubernetesclusters.admin.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
ratelimitserverconfigs.admin.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
ratelimitserversettings.admin.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
roottrustpolicies.admin.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
waypointlifecyclemanagers.admin.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
workspaces.admin.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
workspacesettings.admin.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
apidocs.apimanagement.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
apischemadiscoveries.apimanagement.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
graphqlresolvermaps.apimanagement.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
graphqlschemas.apimanagement.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
graphqlstitchedschemas.apimanagement.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
portalgroups.apimanagement.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
portals.apimanagement.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
daemonsets.apps/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
deployments.apps/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
statefulsets.apps/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
ciliumnetworkpolicies.cilium.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
authconfigs.extauth.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
wasmdeploymentpolicies.extensions.policy.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
gatewayclasses.gateway.networking.k8s.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
gateways.gateway.networking.k8s.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
grpcroutes.gateway.networking.k8s.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
httproutes.gateway.networking.k8s.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
referencegrants.gateway.networking.k8s.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
tcproutes.gateway.networking.k8s.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
tlsroutes.gateway.networking.k8s.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
udproutes.gateway.networking.k8s.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
cloudproviders.infrastructure.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
cloudresources.infrastructure.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
istiooperators.install.istio.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
certificaterequests.internal.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
discoveredcnis.internal.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
discoveredgateways.internal.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
issuedcertificates.internal.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
meshes.internal.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
portalconfigs.internal.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
spireregistrationentries.internal.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
externalendpoints.networking.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
externalservices.networking.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
externalworkloads.networking.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
routetables.networking.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
virtualdestinations.networking.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
virtualgateways.networking.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
destinationrules.networking.istio.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
envoyfilters.networking.istio.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
gateways.networking.istio.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
serviceentries.networking.istio.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
sidecars.networking.istio.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
virtualservices.networking.istio.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
workloadentries.networking.istio.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
accesslogpolicies.observability.policy.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
ratelimitconfigs.ratelimit.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
clusterrolebindings.rbac.authorization.k8s.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
clusterroles.rbac.authorization.k8s.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
rolebindings.rbac.authorization.k8s.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
roles.rbac.authorization.k8s.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
activehealthcheckpolicies.resilience.policy.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
connectionpolicies.resilience.policy.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
failoverpolicies.resilience.policy.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
faultinjectionpolicies.resilience.policy.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
graphqlpersistedquerycachepolicies.resilience.policy.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
listenerconnectionpolicies.resilience.policy.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
outlierdetectionpolicies.resilience.policy.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
retrytimeoutpolicies.resilience.policy.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
trimproxyconfigpolicies.resilience.policy.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
authorizationpolicies.security.istio.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
peerauthentications.security.istio.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
accesspolicies.security.policy.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
clienttlspolicies.security.policy.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
corspolicies.security.policy.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
csrfpolicies.security.policy.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
dlppolicies.security.policy.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
extauthpolicies.security.policy.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
graphqlallowedquerypolicies.security.policy.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
jwtpolicies.security.policy.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
wafpolicies.security.policy.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
headermanipulationpolicies.trafficcontrol.policy.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
httpbufferpolicies.trafficcontrol.policy.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
loadbalancerpolicies.trafficcontrol.policy.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
mirrorpolicies.trafficcontrol.policy.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
proxyprotocolpolicies.trafficcontrol.policy.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
ratelimitclientconfigs.trafficcontrol.policy.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
ratelimitpolicies.trafficcontrol.policy.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
transformationpolicies.trafficcontrol.policy.gloo.solo.io/status gloo-mesh-mgmt-server-gloo-mesh cluster role get, update
secrets gloo-mesh-mgmt-server-gloo-platform-gloo-mesh-namespaced cluster role * (all)
secrets/status gloo-mesh-mgmt-server-gloo-platform-gloo-mesh-namespaced cluster role get, update
The Gloo agent needs access to many Kubernetes and all Gloo custom resources to manage Gloo resources in workload clusters. These actions include discovering core Kubernetes objects, writing Gloo resources, managing the status of Gloo resources, rotating certificates as needed, and performing leader election when you have multiple agent replicas. The agent also needs access to deploy, set up CRDs, and configure Kubernetes RBAC access for managing the Istio lifecycle manager (ILM).

Resource Granted by Allowed verbs
configmaps gloo-mesh-agent-gloo-mesh cluster role * (all)
namespaces gloo-mesh-agent-gloo-mesh cluster role * (all)
pods gloo-mesh-agent-gloo-mesh cluster role * (all)
serviceaccounts gloo-mesh-agent-gloo-mesh cluster role * (all)
services gloo-mesh-agent-gloo-mesh cluster role * (all)
mutatingwebhookconfigurations.admissionregistration.k8s.io gloo-mesh-agent-gloo-mesh cluster role * (all)
validatingwebhookconfigurations.admissionregistration.k8s.io gloo-mesh-agent-gloo-mesh cluster role * (all)
customresourcedefinitions.apiextensions.k8s.io gloo-mesh-agent-gloo-mesh cluster role * (all)
apidocs.apimanagement.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role * (all)
deployments.apps gloo-mesh-agent-gloo-mesh cluster role * (all)
ciliumnetworkpolicies.cilium.io gloo-mesh-agent-gloo-mesh cluster role * (all)
leases.coordination.k8s.io gloo-mesh-agent-gloo-mesh cluster role * (all)
authconfigs.extauth.solo.io gloo-mesh-agent-gloo-mesh cluster role * (all)
gateways.gateway.networking.k8s.io gloo-mesh-agent-gloo-mesh cluster role * (all)
cloudresources.infrastructure.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role * (all)
istiooperators.install.istio.io gloo-mesh-agent-gloo-mesh cluster role * (all)
certificaterequests.internal.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role * (all)
discoveredcnis.internal.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role * (all)
discoveredgateways.internal.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role * (all)
issuedcertificates.internal.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role * (all)
meshes.internal.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role * (all)
podbouncedirectives.internal.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role * (all)
portalconfigs.internal.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role * (all)
spireregistrationentries.internal.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role * (all)
xdsconfigs.internal.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role * (all)
destinationrules.networking.istio.io gloo-mesh-agent-gloo-mesh cluster role * (all)
envoyfilters.networking.istio.io gloo-mesh-agent-gloo-mesh cluster role * (all)
gateways.networking.istio.io gloo-mesh-agent-gloo-mesh cluster role * (all)
serviceentries.networking.istio.io gloo-mesh-agent-gloo-mesh cluster role * (all)
sidecars.networking.istio.io gloo-mesh-agent-gloo-mesh cluster role * (all)
virtualservices.networking.istio.io gloo-mesh-agent-gloo-mesh cluster role * (all)
workloadentries.networking.istio.io gloo-mesh-agent-gloo-mesh cluster role * (all)
workloadgroups.networking.istio.io gloo-mesh-agent-gloo-mesh cluster role * (all)
networkpolicies.networking.k8s.io gloo-mesh-agent-gloo-mesh cluster role * (all)
ratelimitconfigs.ratelimit.solo.io gloo-mesh-agent-gloo-mesh cluster role * (all)
clusterrolebindings.rbac.authorization.k8s.io gloo-mesh-agent-gloo-mesh cluster role * (all)
clusterroles.rbac.authorization.k8s.io gloo-mesh-agent-gloo-mesh cluster role * (all)
authorizationpolicies.security.istio.io gloo-mesh-agent-gloo-mesh cluster role * (all)
peerauthentications.security.istio.io gloo-mesh-agent-gloo-mesh cluster role * (all)
nodes gloo-mesh-agent-gloo-mesh cluster role get, list, watch
dashboards.admin.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role get, list, watch
extauthservers.admin.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role get, list, watch
gatewaylifecyclemanagers.admin.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role get, list, watch
istiolifecyclemanagers.admin.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role get, list, watch
kubernetesclusters.admin.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role get, list, watch
ratelimitserverconfigs.admin.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role get, list, watch
ratelimitserversettings.admin.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role get, list, watch
roottrustpolicies.admin.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role get, list, watch
waypointlifecyclemanagers.admin.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role get, list, watch
workspaces.admin.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role get, list, watch
workspacesettings.admin.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role get, list, watch
apischemadiscoveries.apimanagement.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role get, list, watch
graphqlresolvermaps.apimanagement.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role get, list, watch
graphqlschemas.apimanagement.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role get, list, watch
graphqlstitchedschemas.apimanagement.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role get, list, watch
portalgroups.apimanagement.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role get, list, watch
portals.apimanagement.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role get, list, watch
daemonsets.apps gloo-mesh-agent-gloo-mesh cluster role get, list, watch
replicasets.apps gloo-mesh-agent-gloo-mesh cluster role get, list, watch
statefulsets.apps gloo-mesh-agent-gloo-mesh cluster role get, list, watch
wasmdeploymentpolicies.extensions.policy.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role get, list, watch
cloudproviders.infrastructure.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role get, list, watch
externalendpoints.networking.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role get, list, watch
externalservices.networking.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role get, list, watch
externalworkloads.networking.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role get, list, watch
routetables.networking.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role get, list, watch
virtualdestinations.networking.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role get, list, watch
virtualgateways.networking.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role get, list, watch
accesslogpolicies.observability.policy.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role get, list, watch
rolebindings.rbac.authorization.k8s.io gloo-mesh-agent-gloo-mesh cluster role get, list, watch
roles.rbac.authorization.k8s.io gloo-mesh-agent-gloo-mesh cluster role get, list, watch
activehealthcheckpolicies.resilience.policy.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role get, list, watch
connectionpolicies.resilience.policy.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role get, list, watch
failoverpolicies.resilience.policy.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role get, list, watch
faultinjectionpolicies.resilience.policy.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role get, list, watch
graphqlpersistedquerycachepolicies.resilience.policy.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role get, list, watch
listenerconnectionpolicies.resilience.policy.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role get, list, watch
outlierdetectionpolicies.resilience.policy.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role get, list, watch
retrytimeoutpolicies.resilience.policy.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role get, list, watch
trimproxyconfigpolicies.resilience.policy.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role get, list, watch
accesspolicies.security.policy.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role get, list, watch
clienttlspolicies.security.policy.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role get, list, watch
corspolicies.security.policy.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role get, list, watch
csrfpolicies.security.policy.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role get, list, watch
dlppolicies.security.policy.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role get, list, watch
extauthpolicies.security.policy.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role get, list, watch
graphqlallowedquerypolicies.security.policy.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role get, list, watch
jwtpolicies.security.policy.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role get, list, watch
wafpolicies.security.policy.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role get, list, watch
headermanipulationpolicies.trafficcontrol.policy.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role get, list, watch
httpbufferpolicies.trafficcontrol.policy.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role get, list, watch
loadbalancerpolicies.trafficcontrol.policy.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role get, list, watch
mirrorpolicies.trafficcontrol.policy.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role get, list, watch
proxyprotocolpolicies.trafficcontrol.policy.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role get, list, watch
ratelimitclientconfigs.trafficcontrol.policy.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role get, list, watch
ratelimitpolicies.trafficcontrol.policy.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role get, list, watch
transformationpolicies.trafficcontrol.policy.gloo.solo.io gloo-mesh-agent-gloo-mesh cluster role get, list, watch
configmaps/status gloo-mesh-agent-gloo-mesh cluster role get, update
namespaces/status gloo-mesh-agent-gloo-mesh cluster role get, update
nodes/status gloo-mesh-agent-gloo-mesh cluster role get, update
pods/status gloo-mesh-agent-gloo-mesh cluster role get, update
serviceaccounts/status gloo-mesh-agent-gloo-mesh cluster role get, update
services/status gloo-mesh-agent-gloo-mesh cluster role get, update
dashboards.admin.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
extauthservers.admin.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
gatewaylifecyclemanagers.admin.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
istiolifecyclemanagers.admin.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
kubernetesclusters.admin.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
ratelimitserverconfigs.admin.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
ratelimitserversettings.admin.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
roottrustpolicies.admin.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
waypointlifecyclemanagers.admin.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
workspaces.admin.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
workspacesettings.admin.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
mutatingwebhookconfigurations.admissionregistration.k8s.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
validatingwebhookconfigurations.admissionregistration.k8s.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
apidocs.apimanagement.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
apischemadiscoveries.apimanagement.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
graphqlresolvermaps.apimanagement.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
graphqlschemas.apimanagement.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
graphqlstitchedschemas.apimanagement.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
portalgroups.apimanagement.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
portals.apimanagement.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
daemonsets.apps/status gloo-mesh-agent-gloo-mesh cluster role get, update
deployments.apps/status gloo-mesh-agent-gloo-mesh cluster role get, update
replicasets.apps/status gloo-mesh-agent-gloo-mesh cluster role get, update
statefulsets.apps/status gloo-mesh-agent-gloo-mesh cluster role get, update
ciliumnetworkpolicies.cilium.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
authconfigs.extauth.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
wasmdeploymentpolicies.extensions.policy.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
gateways.gateway.networking.k8s.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
cloudproviders.infrastructure.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
cloudresources.infrastructure.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
istiooperators.install.istio.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
certificaterequests.internal.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
discoveredcnis.internal.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
discoveredgateways.internal.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
issuedcertificates.internal.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
meshes.internal.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
podbouncedirectives.internal.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
portalconfigs.internal.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
spireregistrationentries.internal.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
xdsconfigs.internal.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
externalendpoints.networking.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
externalservices.networking.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
externalworkloads.networking.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
routetables.networking.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
virtualdestinations.networking.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
virtualgateways.networking.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
destinationrules.networking.istio.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
envoyfilters.networking.istio.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
gateways.networking.istio.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
serviceentries.networking.istio.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
sidecars.networking.istio.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
virtualservices.networking.istio.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
workloadentries.networking.istio.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
workloadgroups.networking.istio.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
networkpolicies.networking.k8s.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
accesslogpolicies.observability.policy.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
ratelimitconfigs.ratelimit.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
clusterrolebindings.rbac.authorization.k8s.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
clusterroles.rbac.authorization.k8s.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
activehealthcheckpolicies.resilience.policy.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
connectionpolicies.resilience.policy.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
failoverpolicies.resilience.policy.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
faultinjectionpolicies.resilience.policy.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
graphqlpersistedquerycachepolicies.resilience.policy.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
listenerconnectionpolicies.resilience.policy.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
outlierdetectionpolicies.resilience.policy.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
retrytimeoutpolicies.resilience.policy.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
trimproxyconfigpolicies.resilience.policy.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
authorizationpolicies.security.istio.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
peerauthentications.security.istio.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
accesspolicies.security.policy.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
clienttlspolicies.security.policy.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
corspolicies.security.policy.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
csrfpolicies.security.policy.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
dlppolicies.security.policy.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
extauthpolicies.security.policy.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
graphqlallowedquerypolicies.security.policy.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
jwtpolicies.security.policy.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
wafpolicies.security.policy.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
headermanipulationpolicies.trafficcontrol.policy.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
httpbufferpolicies.trafficcontrol.policy.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
loadbalancerpolicies.trafficcontrol.policy.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
mirrorpolicies.trafficcontrol.policy.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
proxyprotocolpolicies.trafficcontrol.policy.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
ratelimitclientconfigs.trafficcontrol.policy.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
ratelimitpolicies.trafficcontrol.policy.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
transformationpolicies.trafficcontrol.policy.gloo.solo.io/status gloo-mesh-agent-gloo-mesh cluster role get, update
secrets gloo-mesh-agent-gloo-platform-gloo-mesh-namespaced cluster role * (all)
secrets/status gloo-mesh-agent-gloo-platform-gloo-mesh-namespaced cluster role get, update
The Gloo UI needs access to many Kubernetes and all Gloo custom resources to display in the dashboard.

Resource Granted by Allowed verbs
configmaps gloo-mesh-ui-gloo-mesh cluster role get, list, watch
namespaces gloo-mesh-ui-gloo-mesh cluster role get, list, watch
nodes gloo-mesh-ui-gloo-mesh cluster role get, list, watch
serviceaccounts gloo-mesh-ui-gloo-mesh cluster role get, list, watch
services gloo-mesh-ui-gloo-mesh cluster role get, list, watch
dashboards.admin.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
extauthservers.admin.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
gatewaylifecyclemanagers.admin.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
istiolifecyclemanagers.admin.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
kubernetesclusters.admin.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
ratelimitserverconfigs.admin.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
ratelimitserversettings.admin.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
roottrustpolicies.admin.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
waypointlifecyclemanagers.admin.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
workspaces.admin.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
workspacesettings.admin.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
apidocs.apimanagement.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
apischemadiscoveries.apimanagement.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
graphqlresolvermaps.apimanagement.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
graphqlschemas.apimanagement.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
graphqlstitchedschemas.apimanagement.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
portalgroups.apimanagement.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
portals.apimanagement.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
daemonsets.apps gloo-mesh-ui-gloo-mesh cluster role get, list, watch
deployments.apps gloo-mesh-ui-gloo-mesh cluster role get, list, watch
statefulsets.apps gloo-mesh-ui-gloo-mesh cluster role get, list, watch
ciliumnetworkpolicies.cilium.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
authconfigs.extauth.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
wasmdeploymentpolicies.extensions.policy.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
gatewayclasses.gateway.networking.k8s.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
gateways.gateway.networking.k8s.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
grpcroutes.gateway.networking.k8s.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
httproutes.gateway.networking.k8s.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
referencegrants.gateway.networking.k8s.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
tcproutes.gateway.networking.k8s.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
tlsroutes.gateway.networking.k8s.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
udproutes.gateway.networking.k8s.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
cloudproviders.infrastructure.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
cloudresources.infrastructure.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
istiooperators.install.istio.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
discoveredcnis.internal.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
discoveredgateways.internal.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
meshes.internal.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
portalconfigs.internal.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
spireregistrationentries.internal.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
externalendpoints.networking.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
externalservices.networking.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
externalworkloads.networking.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
routetables.networking.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
virtualdestinations.networking.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
virtualgateways.networking.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
destinationrules.networking.istio.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
envoyfilters.networking.istio.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
gateways.networking.istio.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
serviceentries.networking.istio.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
sidecars.networking.istio.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
virtualservices.networking.istio.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
workloadentries.networking.istio.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
accesslogpolicies.observability.policy.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
ratelimitconfigs.ratelimit.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
clusterrolebindings.rbac.authorization.k8s.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
clusterroles.rbac.authorization.k8s.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
rolebindings.rbac.authorization.k8s.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
roles.rbac.authorization.k8s.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
activehealthcheckpolicies.resilience.policy.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
connectionpolicies.resilience.policy.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
failoverpolicies.resilience.policy.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
faultinjectionpolicies.resilience.policy.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
graphqlpersistedquerycachepolicies.resilience.policy.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
listenerconnectionpolicies.resilience.policy.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
outlierdetectionpolicies.resilience.policy.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
retrytimeoutpolicies.resilience.policy.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
trimproxyconfigpolicies.resilience.policy.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
authorizationpolicies.security.istio.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
peerauthentications.security.istio.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
accesspolicies.security.policy.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
clienttlspolicies.security.policy.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
corspolicies.security.policy.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
csrfpolicies.security.policy.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
dlppolicies.security.policy.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
extauthpolicies.security.policy.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
graphqlallowedquerypolicies.security.policy.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
jwtpolicies.security.policy.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
wafpolicies.security.policy.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
headermanipulationpolicies.trafficcontrol.policy.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
httpbufferpolicies.trafficcontrol.policy.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
loadbalancerpolicies.trafficcontrol.policy.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
mirrorpolicies.trafficcontrol.policy.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
proxyprotocolpolicies.trafficcontrol.policy.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
ratelimitclientconfigs.trafficcontrol.policy.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
ratelimitpolicies.trafficcontrol.policy.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
transformationpolicies.trafficcontrol.policy.gloo.solo.io gloo-mesh-ui-gloo-mesh cluster role get, list, watch
configmaps/status gloo-mesh-ui-gloo-mesh cluster role get, update
dashboards.admin.gloo.solo.io/status gloo-mesh-ui-gloo-mesh cluster role get, update
kubernetesclusters.admin.gloo.solo.io/status gloo-mesh-ui-gloo-mesh cluster role get, update
secrets gloo-mesh-ui-gloo-platform-gloo-mesh-namespaced cluster role get, list, watch
secrets/status gloo-mesh-ui-gloo-platform-gloo-mesh-namespaced cluster role get, update
The Prometheus server needs access to various resources to collect metrics for cluster components and network traffic.

Resource Granted by Allowed verbs
configmaps prometheus-server cluster role get, list, watch
endpoints prometheus-server cluster role get, list, watch
ingresses prometheus-server cluster role get, list, watch
nodes/metrics prometheus-server cluster role get, list, watch
nodes/proxy prometheus-server cluster role get, list, watch
nodes prometheus-server cluster role get, list, watch
pods prometheus-server cluster role get, list, watch
services prometheus-server cluster role get, list, watch
ingresses.extensions/status prometheus-server cluster role get, list, watch
ingresses.extensions prometheus-server cluster role get, list, watch
ingresses.networking.k8s.io/status prometheus-server cluster role get, list, watch
ingresses.networking.k8s.io prometheus-server cluster role get, list, watch
/metrics prometheus-server cluster role get
The external auth service needs access to several Kubernetes and Gloo custom resources to enforce authentication on requests. For example, config maps and secrets might have information that the external auth service needs to authenticate requests, such as an API key. Other resources such as leases are used for leader election when you have multiple replicas.

Resource Granted by Allowed verbs
events ext-auth-service-gloo-mesh cluster role * (all)
leases.coordination.k8s.io ext-auth-service-gloo-mesh cluster role * (all)
configmaps ext-auth-service-gloo-mesh cluster role get, list, watch
authconfigs.extauth.solo.io ext-auth-service-gloo-mesh cluster role get, list, watch
authconfigs.extauth.solo.io/status ext-auth-service-gloo-mesh cluster role get, update
secrets ext-auth-service-gloo-platform-gloo-mesh-namespaced cluster role get, list, watch
The rate limiter needs access to Gloo custom resources to configure rate limiting on requests.

Resource Granted by Allowed verbs
ratelimitconfigs.ratelimit.solo.io rate-limiter cluster role get, list, watch
ratelimitconfigs.ratelimit.solo.io/status rate-limiter cluster role get, update
The Gloo portal server needs access to Gloo custom resources to display API products in an end-user facing developer portal.

Resource Granted by Allowed verbs
apidocs.apimanagement.gloo.solo.io gloo-mesh-portal-server-gloo-mesh-addons cluster role get, list, watch
portalconfigs.internal.gloo.solo.io gloo-mesh-portal-server-gloo-mesh-addons cluster role get, list, watch
The OpenTelemetry (OTel) gateways and collectors need access to various resources to collect metrics, logs, and traces for the components in your cluster.

Resource Granted by Allowed verbs
configmaps gloo-telemetry-* cluster roles get, list, watch
endpoints gloo-telemetry-* cluster roles get, list, watch
ingresses gloo-telemetry-* cluster roles get, list, watch
nodes/metrics gloo-telemetry-* cluster roles get, list, watch
nodes/proxy gloo-telemetry-* cluster roles get, list, watch
nodes gloo-telemetry-* cluster roles get, list, watch
pods gloo-telemetry-* cluster roles get, list, watch
services gloo-telemetry-* cluster roles get, list, watch
ingresses.extensions/status gloo-telemetry-* cluster roles get, list, watch
ingresses.extensions gloo-telemetry-* cluster roles get, list, watch
ingresses.networking.k8s.io/status gloo-telemetry-* cluster roles get, list, watch
ingresses.networking.k8s.io gloo-telemetry-* cluster roles get, list, watch
/metrics endpoint gloo-telemetry-* cluster roles get
The Istio operator that is used by the Gloo Istio Lifecycle Manager needs access to various resources such as Istio as well as Kubernetes resources to deploy Istio.

Resource Granted by Allowed verbs
configmaps istio-operator-* cluster role * (all)
endpoints istio-operator-* cluster role * (all)
events istio-operator-* cluster role * (all)
namespaces istio-operator-* cluster role * (all)
persistentvolumeclaims istio-operator-* cluster role * (all)
pods/portforward istio-operator-* cluster role * (all)
pods/proxy istio-operator-* cluster role * (all)
pods istio-operator-* cluster role * (all)
secrets istio-operator-* cluster role * (all)
serviceaccounts istio-operator-* cluster role * (all)
services istio-operator-* cluster role * (all)
mutatingwebhookconfigurations.admissionregistration.k8s.io istio-operator-* cluster role * (all)
validatingwebhookconfigurations.admissionregistration.k8s.io istio-operator-* cluster role * (all)
customresourcedefinitions.apiextensions.k8s.io.apiextensions.k8s.io istio-operator-* cluster role * (all)
customresourcedefinitions.apiextensions.k8s.io istio-operator-* cluster role * (all)
daemonsets.apps istio-operator-* cluster role * (all)
deployments.apps/finalizers istio-operator-* cluster role * (all)
deployments.apps istio-operator-* cluster role * (all)
replicasets.apps istio-operator-* cluster role * (all)
*.authentication.istio.io istio-operator-* cluster role * (all)
horizontalpodautoscalers.autoscaling istio-operator-* cluster role * (all)
*.config.istio.io istio-operator-* cluster role * (all)
daemonsets.extensions istio-operator-* cluster role * (all)
deployments.extensions/finalizers istio-operator-* cluster role * (all)
deployments.extensions istio-operator-* cluster role * (all)
replicasets.extensions istio-operator-* cluster role * (all)
*.install.istio.io istio-operator-* cluster role * (all)
*.networking.istio.io istio-operator-* cluster role * (all)
poddisruptionbudgets.policy istio-operator-* cluster role * (all)
clusterrolebindings.rbac.authorization.k8s.io istio-operator-* cluster role * (all)
clusterroles.rbac.authorization.k8s.io istio-operator-* cluster role * (all)
rolebindings.rbac.authorization.k8s.io istio-operator-* cluster role * (all)
roles.rbac.authorization.k8s.io istio-operator-* cluster role * (all)
*.security.istio.io istio-operator-* cluster role * (all)
leases.coordination.k8s.io istio-operator-* cluster role get, create, update
servicemonitors.monitoring.coreos.com istio-operator-* cluster role get, create, update
Istio is automatically set up when you install Gloo Gateway or Gloo Platform to manage Envoy-based proxies such as the Istio ingress gateway. Istiod needs access to all of the Istio custom resources to manage Istio. It also needs access to some Kubernetes resources to deploy the gateway, manage secrets for mutual TLS, or inject sidecars as needed.

Resource Granted by Allowed verbs
secrets istiod-* roles in istio-system namespace create, get, watch, list, update, delete
gateways istiod-* roles in istio-system namespace create
configmaps Versioned istiod role in istio-system namespace delete
leases Versioned istiod role in istio-system namespace get, update, patch, create
tokenreviews.authentication.k8s.io istio-reader-* cluster roles create
subjectaccessreviews.authorization.k8s.io istio-reader-* cluster roles create
serviceexports.multicluster.x-k8s.io istio-reader-* cluster roles get, list, watch, create, delete
endpoints istio-reader-* cluster roles get, list, watch
namespaces istio-reader-* cluster roles get, list, watch
nodes istio-reader-* cluster roles get, list, watch
pods istio-reader-* cluster roles get, list, watch
replicationcontrollers istio-reader-* cluster roles get, list, watch
secrets istio-reader-* cluster roles get, list, watch
services istio-reader-* cluster roles get, list, watch
customresourcedefinitions.apiextensions.k8s.io istio-reader-* cluster roles get, list, watch
replicasets.apps istio-reader-* cluster roles get, list, watch
*.authentication.istio.io istio-reader-* cluster roles get, list, watch
*.config.istio.io istio-reader-* cluster roles get, list, watch
endpointslices.discovery.k8s.io istio-reader-* cluster roles get, list, watch
serviceimports.multicluster.x-k8s.io istio-reader-* cluster roles get, list, watch
*.networking.istio.io istio-reader-* cluster roles get, list, watch
*.rbac.istio.io istio-reader-* cluster roles get, list, watch
*.security.istio.io istio-reader-* cluster roles get, list, watch
workloadentries.networking.istio.io istio-reader-* cluster roles get, watch, list
ingresses.networking.k8s.io/status istiod-* cluster roles * (all)
signers.certificates. istiod-* cluster roles approve
configmaps istiod-* cluster roles create, get, list, watch, update
gatewayclasses.gateway.networking.k8s.io istiod-* cluster roles create, update, patch, delete
tokenreviews.authentication.k8s.io istiod-* cluster roles create
subjectaccessreviews.authorization.k8s.io istiod-* cluster roles create
mutatingwebhookconfigurations.admissionregistration.k8s.io istiod-* cluster roles get, list, watch update patch
validatingwebhookconfigurations.admissionregistration.k8s.io istiod-* cluster roles get, list, watch update
endpoints istiod-* cluster roles get, list, watch
namespaces istiod-* cluster roles get, list, watch
nodes istiod-* cluster roles get, list, watch
pods istiod-* cluster roles get, list, watch
services istiod-* cluster roles get, list, watch
customresourcedefinitions.apiextensions.k8s.io istiod-* cluster roles get, list, watch
endpointslices.discovery.k8s.io istiod-* cluster roles get, list, watch
ingressclasses.networking.k8s.io istiod-* cluster roles get, list, watch
ingresses.networking.k8s.io istiod-* cluster roles get, list, watch
serviceexports.multicluster.x-k8s.io istiod-* cluster roles get, watch, list create delete
workloadentries.networking.istio.io/status istiod-* cluster roles get watch, list, update, patch, create, delete
workloadentries.networking.istio.io istiod-* cluster roles get watch, list, update, patch, create, delete
*.gateway.networking.k8s.io istiod-* cluster roles get, watch, list update patch
*.networking.x-k8s.io istiod-* cluster roles get, watch, list update patch
secrets istiod-* cluster roles get, watch, list
*.authentication.istio.io istiod-* cluster roles get, watch, list
*.config.istio.io istiod-* cluster roles get, watch, list
*.extensions.istio.io istiod-* cluster roles get, watch, list
serviceimports.multicluster.x-k8s.io istiod-* cluster roles get, watch, list
*.networking.istio.io istiod-* cluster roles get, watch, list
*.rbac.istio.io istiod-* cluster roles get, watch, list
*.security.istio.io istiod-* cluster roles get, watch, list
*.telemetry.istio.io istiod-* cluster roles get, watch, list
certificatesigningrequests.certificates.k8s.io/approval istiod-* cluster roles update, create, get, delete, watch
certificatesigningrequests.certificates.k8s.io/status istiod-* cluster roles update, create, get, delete, watch
certificatesigningrequests.certificates.k8s.io istiod-* cluster roles update, create, get, delete, watch
serviceaccounts istiod-* cluster roles get watch, list, update, patch, create, delete
services istiod-* cluster roles get watch, list, update, patch, create, delete
deployments.apps istiod-* cluster roles get watch, list, update, patch, create, delete
By default, Gloo Gateway sets up one Istio ingress gateway in the gloo-mesh-gateways namespace. You can also set up multiple Istio ingress gateways to back your Gloo virtual gateways. The gateway needs to check secrets such as certs to secure traffic via an HTTPS listener.

Resource Granted by Allowed verbs
Secrets Versioned gateway role in the gateway namespace, such as gloo-mesh-gateways get, watch, list

Restrict default permissions

You can restrict the permissions for select Gloo components. By default, Gloo components use Kubernetes cluster roles and cluster role bindings to get access to resources on a cluster-wide level. To restrict these permissions, configure the namespacedRbac Helm option for select Gloo components during your Gloo installation or upgrade.

Namespaced RBAC for select components is available for versions 2.3.19, 2.4.4, or 2.5 and later. Do not otherwise try to modify the default permissions by editing the Kubernetes cluster role or role for each component. Modifying the permissions can lead to unexpected results. If you need to modify other permissions such as for security compliance reasons, contact Support with your use case.

Gloo components that you can restrict access for:

Resources that you can restrict access to:

At a minimum, you must allow access to the following namespaces for each Gloo component:

The following steps upgrade an existing Helm release to restrict the permissions of the management server, agent, UI, and external auth service for Kubernetes secrets to Gloo namespaces only. The steps do not upgrade the Gloo Platform management server or agent versions or otherwise change the components.

  1. Check the Helm releases in your cluster. Depending on your installation method, you either have only a main installation release (such as gloo-platform), or a main installation and a separate add-ons release (such as gloo-agent-addons), in addition to your CRDs release.

    helm ls -A
    
  2. Get your current installation values.

    • If you have only one release for your installation, get those values. Note that if you migrated from the legacy Helm charts, your Helm release might be named gloo-mgmt or gloo-mesh-enterprise instead.

      helm get values gloo-platform -n gloo-mesh -o yaml > gloo-gateway-single.yaml
      open gloo-gateway-single.yaml
      
    • If you have a separate add-ons release, get those values.

      helm get values gloo-agent-addons -n gloo-mesh-addons -o yaml > gloo-agent-addons.yaml
      open gloo-agent-addons.yaml
      
  3. Add the following settings in the sections for each component that you want to restrict Kubernetes RBAC permissions to namespaces. Keep in mind the following points:

    • You can restrict only Kubernetes secrets.
    • You must include the namespaces that the Gloo components are deployed to, such as gloo-mesh and gloo-mesh-addons. If your namespaces have different names, replace these values.
    • You add these values along with all the rest of the values in your Helm configuration file.
    glooMgmtServer:
      enabled: true
      namespacedRbac:
      - resources:
        - secrets
        namespaces:
        - gloo-mesh
        - gloo-mesh-addons
    ...
    
    glooAgent:
      enabled: true
      namespacedRbac:
      - resources:
        - secrets
        namespaces:
        - gloo-mesh
        - gloo-mesh-addons
    ...
    
    glooUi:
      enabled: true
      namespacedRbac:
      - resources:
        - secrets
        namespaces:
        - gloo-mesh
        - gloo-mesh-addons
    
    extAuthService:
      enabled: true
      extAuth:
        namespacedRbac:
        - resources:
          - secrets
          namespaces:
          - gloo-mesh
          - gloo-mesh-addons
    ...
    
    clickhouse:
      enabled: true
    glooAgent:
      enabled: true
      relay:
        serverAddress: gloo-mesh-mgmt-server.gloo-mesh:9900
      namespacedRbac:
      - resources:
        - secrets
        namespaces:
        - gloo-mesh
        - gloo-mesh-addons
    glooMgmtServer:
      serviceType: ClusterIP
      registerCluster: true
      enabled: true
      createGlobalWorkspace: true
      namespacedRbac:
      - resources:
        - secrets
        namespaces:
        - gloo-mesh
        - gloo-mesh-addons
    glooUi:
      enabled: true
      namespacedRbac:
      - resources:
        - secrets
        namespaces:
        - gloo-mesh
        - gloo-mesh-addons
    istioInstallations:
      controlPlane:
        enabled: true
        installations:
          - istioOperatorSpec:
              meshConfig:
                accessLogFile: /dev/stdout
                accessLogEncoding: JSON
                accessLogFormat: |
                  {
                    "timestamp": "%START_TIME%",
                    "server_name": "%REQ(:AUTHORITY)%",
                    "response_duration": "%DURATION%",
                    "request_command": "%REQ(:METHOD)%",
                    "request_uri": "%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%",
                    "request_protocol": "%PROTOCOL%",
                    "status_code": "%RESPONSE_CODE%",
                    "client_address": "%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%",
                    "x_forwarded_for": "%REQ(X-FORWARDED-FOR)%",
                    "bytes_sent": "%BYTES_SENT%",
                    "bytes_received": "%BYTES_RECEIVED%",
                    "user_agent": "%REQ(USER-AGENT)%",
                    "downstream_local_address": "%DOWNSTREAM_LOCAL_ADDRESS%",
                    "requested_server_name": "%REQUESTED_SERVER_NAME%",
                    "request_id": "%REQ(X-REQUEST-ID)%",
                    "response_flags": "%RESPONSE_FLAGS%",
                    "route_name": "%ROUTE_NAME%",
                    "upstream_cluster": "%UPSTREAM_CLUSTER%",
                    "upstream_host": "%UPSTREAM_HOST%",
                    "upstream_local_address": "%UPSTREAM_LOCAL_ADDRESS%",
                    "upstream_service_time": "%REQ(x-envoy-upstream-service-time)%",
                    "upstream_transport_failure_reason": "%UPSTREAM_TRANSPORT_FAILURE_REASON%",
                    "correlation_id": "%REQ(X-CORRELATION-ID)%",
                    "user_id": "%DYNAMIC_METADATA(envoy.filters.http.ext_authz:userId)%",
                    "api_id": "%DYNAMIC_METADATA(io.solo.gloo.apimanagement:api_id)%",
                    "api_product_id": "%DYNAMIC_METADATA(io.solo.gloo.apimanagement:api_product_id)%",
                    "api_product_name": "%DYNAMIC_METADATA(io.solo.gloo.apimanagement:api_product_name)%",
                    "usage_plan": "%DYNAMIC_METADATA(envoy.filters.http.ext_authz:usagePlan)%",
                    "custom_metadata": "%DYNAMIC_METADATA(io.solo.gloo.apimanagement:custom_metadata)%"
                  }
            revision: auto
      enabled: true
      northSouthGateways:
        - enabled: true
          installations:
            - gatewayRevision: auto
              istioOperatorSpec: {}
          name: istio-ingressgateway
    telemetryCollector:
      presets:
        logsCollection:
          enabled: true
          storeCheckpoints: true
      enabled: true
      config:
        exporters:
          otlp:
            endpoint: gloo-telemetry-gateway.gloo-mesh:4317
    telemetryCollectorCustomization: 
      pipelines:
        logs/istio_access_logs: 
          enabled: true
    prometheus:
      enabled: true
    redis:
      deployment:
        enabled: true
    telemetryGateway:
      enabled: true
      service:
        type: ClusterIP
      extraEnvs:
      - name: CLICKHOUSE_PASSWORD
        valueFrom:
          secretKeyRef:
            key: password
            name: clickhouse-auth
    telemetryGatewayCustomization:
      pipelines:
        logs/clickhouse:
          enabled: true
      extraExporters:
        clickhouse:
          password: "${env:CLICKHOUSE_PASSWORD}"
    extAuthService:
      enabled: true
      extAuth:
        namespacedRbac:
        - resources:
          - secrets
          namespaces:
          - gloo-mesh
          - gloo-mesh-addons
        apiKeyStorage:
          name: redis
          enabled: true
          config:
            host: "redis.gloo-mesh-addons:6379"
            db: 0
          secretKey: "ThisIsSecret"
    glooPortalServer:
      enabled: true
      apiKeyStorage:
        redis:
          enabled: true
          address: redis.gloo-mesh-addons:6379
        configPath: /etc/redis-client-config/config.yaml
        secretKey: "ThisIsSecret"
    rateLimiter:
      enabled: true
    
  4. Upgrade your Helm release with the namespaced RBAC restrictions. Be sure to include the Helm values file ($VALUES_FILE) that you previously created and the Gloo version of your current installation ($GLOO_VERSION).

    • If you have only one release for your installation, upgrade the gloo-platform release. Note that if you migrated from the legacy Helm charts, your Helm release might be named gloo-mgmt or gloo-mesh-enterprise instead.

      helm upgrade -i gloo-platform gloo-platform/gloo-platform \
         --namespace gloo-mesh \
         --create-namespace \
         --values $VALUES_FILE \
         --version $GLOO_VERSION
      
    • If you have a separate add-ons release, upgrade the gloo-agent-addons release.

      helm upgrade -i gloo-agent-addons gloo-platform/gloo-platform \
         --namespace gloo-mesh-addons \
         --create-namespace \
         --values $VALUES_FILE \
         --version $GLOO_VERSION
      
  5. Verify that your Gloo environment is healthy. Note that this check might take a few seconds to complete.

    meshctl check
    
  6. Confirm that the permissions are correct by checking the RBAC setup.