On this page
Gloo component permissions
Review the default Kubernetes role-based access control (RBAC) permissions of Gloo and Gloo-deployed components.
When you install a Gloo product, you deploy several core and addon components, such as the management server, agent, and external auth service. For more information about the components, see Platform architecture.
These components might come with a default set of permissions granted by Kubernetes RBAC cluster roles and roles. Some components that do not need Kubernetes permissions, such as Redis or Clickhouse databases, do not have Kubernetes RBAC resources. Other components, such as the management server, agent, and UI, might have several cluster roles that are used to scope certain permissions on sensitive resources such as secrets to namespaces.
Check the RBAC setup link
In Kubernetes RBAC, roles and cluster roles configure a set of permissions, such as to view or modify Kubernetes objects. Role bindings and cluster role bindings bind these permissions to a subject in Kubernetes, such as a service account. For more information, see the Kubernetes docs. Most Gloo components have their own Kubernetes service accounts, roles or cluster roles, and role bindings or cluster role bindings.
To check the RBAC setup for each component, you can run the following commands. Alternatively, you can check the permissions tables for each component in Review Gloo permissions.
info
When you install Gloo with Helm, you set a release name, such as the default gloo-platform. If you used a different release name, update the commands accordingly, such as -l app.kubernetes.io/instance=gloo-platform to -l app.kubernetes.io/instance=$RELEASE.
Get the Kubernetes RBAC resources for the Gloo component that you want to check.
kubectl get clusterroles,clusterrolebindings,roles,rolebindings,serviceaccounts -A -l app=gloo-mesh-mgmt-serverkubectl get clusterroles,clusterrolebindings,roles,rolebindings,serviceaccounts -A -l app=gloo-mesh-agentkubectl get clusterroles,clusterrolebindings,roles,rolebindings,serviceaccounts -A -l app=gloo-mesh-uikubectl get clusterroles,clusterrolebindings,roles,rolebindings,serviceaccounts -A -l app=prometheuskubectl get clusterroles,clusterrolebindings,roles,rolebindings,serviceaccounts -A -l app=ext-auth-servicekubectl get clusterroles,clusterrolebindings,roles,rolebindings,serviceaccounts -A -l app=rate-limiterkubectl get clusterroles,clusterrolebindings,roles,rolebindings,serviceaccounts -A -l app=gloo-mesh-portal-serverFor optional components that are installed by Gloo Gateway via Helm, such as the OpenTelemetry (OTel) gateways and collectors.
kubectl get clusterroles,clusterrolebindings,roles,rolebindings,serviceaccounts -A -l app.kubernetes.io/name=telemetryCollectorFor the Istio operator used by Gloo’s Istio Lifeycle Manager.
kubectl get clusterroles,clusterrolebindings,roles,rolebindings,serviceaccounts -A -l gloo.solo.io/parent_name=gloo-platformFor instances installed by Gloo’s Istio Lifecycle Manager, such as istiod and the Istio gateway controller.
kubectl get clusterroles,clusterrolebindings,roles,rolebindings,serviceaccounts -A -l install.operator.istio.io/owning-resource=gloo-platformFor the Istio ingress gateway.
kubectl get clusterroles,clusterrolebindings,roles,rolebindings,serviceaccounts -A -l install.operator.istio.io/owning-resource=istio-ingressgateway-1-18-2Check the role binding or cluster role binding for the component. Make sure that the role or cluster role in the Role section and the service account in the Subjects section match the names for the Gloo component in the output from the previous step.
kubectl describe clusterrolebinding gloo-mesh-mgmt-server-gloo-platformExample output: The cluster role binding grants the
gloo-mesh-mgmt-serverservice account access in thegloo-meshnamespace thegloo-mesh-mgmt-server-gloo-platformcluster role.Role: Kind: ClusterRole Name: gloo-mesh-mgmt-server-gloo-platform Subjects: Kind Name Namespace ---- ---- --------- ServiceAccount gloo-mesh-mgmt-server gloo-meshGet the details of a cluster role or role. Check the PolicyRule in each role or cluster role to review specific permissions.
info
The following example shows how the management server can have both roles and cluster roles if you restrict its permissions. Some other Gloo components might have only roles or cluster roles, depending on your setup.
kubectl describe role -n gloo-mesh gloo-mesh-mgmt-server-gloo-platform-gloo-mesh-namespaced
kubectl describe role -n gloo-mesh-addons gloo-mesh-mgmt-server-gloo-platform-gloo-mesh-namespaced
Example output: The roles grant the Gloo management server access to Kubernetes secrets. Because the roles that you described are scoped to the gloo-mesh and gloo-mesh-addons namespaces, the management server can access secrets in the those namespaces only.
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
secrets [] [] [*]
secrets/status [] [] [get, update]
kubectl describe clusterrole gloo-mesh-mgmt-server-gloo-platform
Example output: The default Kubernetes RBAC for the management server normally includes access to secrets. However, in this example, you restricted access to only the gloo-mesh and gloo-mesh-addon namespaces through roles and role bindings. Therefore, the cluster role no longer has access to secrets.
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
configmaps [] [] [*]
namespaces [] [] [*]
pods [] [] [*]
serviceaccounts [] [] [*]
services [] [] [*]
mutatingwebhookconfigurations.admissionregistration.k8s.io [] [] [*]
validatingwebhookconfigurations.admissionregistration.k8s.io [] [] [*]
apidocs.apimanagement.gloo.solo.io [] [] [*]
deployments.apps [] [] [*]
ciliumnetworkpolicies.cilium.io [] [] [*]
leases.coordination.k8s.io [] [] [*]
authconfigs.extauth.solo.io [] [] [*]
gateways.gateway.networking.k8s.io [] [] [*]
cloudresources.infrastructure.gloo.solo.io [] [] [*]
istiooperators.install.istio.io [] [] [*]
issuedcertificates.internal.gloo.solo.io [] [] [*]
portalconfigs.internal.gloo.solo.io [] [] [*]
spireregistrationentries.internal.gloo.solo.io [] [] [*]
xdsconfigs.internal.gloo.solo.io [] [] [*]
destinationrules.networking.istio.io [] [] [*]
envoyfilters.networking.istio.io [] [] [*]
gateways.networking.istio.io [] [] [*]
serviceentries.networking.istio.io [] [] [*]
sidecars.networking.istio.io [] [] [*]
virtualservices.networking.istio.io [] [] [*]
workloadentries.networking.istio.io [] [] [*]
workloadgroups.networking.istio.io [] [] [*]
networkpolicies.networking.k8s.io [] [] [*]
ratelimitconfigs.ratelimit.solo.io [] [] [*]
clusterrolebindings.rbac.authorization.k8s.io [] [] [*]
clusterroles.rbac.authorization.k8s.io [] [] [*]
authorizationpolicies.security.istio.io [] [] [*]
peerauthentications.security.istio.io [] [] [*]
nodes [] [] [get list watch]
dashboards.admin.gloo.solo.io [] [] [get list watch]
extauthservers.admin.gloo.solo.io [] [] [get list watch]
gatewaylifecyclemanagers.admin.gloo.solo.io [] [] [get list watch]
istiolifecyclemanagers.admin.gloo.solo.io [] [] [get list watch]
kubernetesclusters.admin.gloo.solo.io [] [] [get list watch]
ratelimitserverconfigs.admin.gloo.solo.io [] [] [get list watch]
ratelimitserversettings.admin.gloo.solo.io [] [] [get list watch]
roottrustpolicies.admin.gloo.solo.io [] [] [get list watch]
waypointlifecyclemanagers.admin.gloo.solo.io [] [] [get list watch]
workspaces.admin.gloo.solo.io [] [] [get list watch]
workspacesettings.admin.gloo.solo.io [] [] [get list watch]
customresourcedefinitions.apiextensions.k8s.io [] [] [get list watch]
apischemadiscoveries.apimanagement.gloo.solo.io [] [] [get list watch]
graphqlresolvermaps.apimanagement.gloo.solo.io [] [] [get list watch]
graphqlschemas.apimanagement.gloo.solo.io [] [] [get list watch]
graphqlstitchedschemas.apimanagement.gloo.solo.io [] [] [get list watch]
portalgroups.apimanagement.gloo.solo.io [] [] [get list watch]
portals.apimanagement.gloo.solo.io [] [] [get list watch]
daemonsets.apps [] [] [get list watch]
statefulsets.apps [] [] [get list watch]
wasmdeploymentpolicies.extensions.policy.gloo.solo.io [] [] [get list watch]
gatewayclasses.gateway.networking.k8s.io [] [] [get list watch]
grpcroutes.gateway.networking.k8s.io [] [] [get list watch]
httproutes.gateway.networking.k8s.io [] [] [get list watch]
referencegrants.gateway.networking.k8s.io [] [] [get list watch]
tcproutes.gateway.networking.k8s.io [] [] [get list watch]
tlsroutes.gateway.networking.k8s.io [] [] [get list watch]
udproutes.gateway.networking.k8s.io [] [] [get list watch]
cloudproviders.infrastructure.gloo.solo.io [] [] [get list watch]
certificaterequests.internal.gloo.solo.io [] [] [get list watch]
discoveredcnis.internal.gloo.solo.io [] [] [get list watch]
discoveredgateways.internal.gloo.solo.io [] [] [get list watch]
meshes.internal.gloo.solo.io [] [] [get list watch]
externalendpoints.networking.gloo.solo.io [] [] [get list watch]
externalservices.networking.gloo.solo.io [] [] [get list watch]
externalworkloads.networking.gloo.solo.io [] [] [get list watch]
routetables.networking.gloo.solo.io [] [] [get list watch]
virtualdestinations.networking.gloo.solo.io [] [] [get list watch]
virtualgateways.networking.gloo.solo.io [] [] [get list watch]
accesslogpolicies.observability.policy.gloo.solo.io [] [] [get list watch]
rolebindings.rbac.authorization.k8s.io [] [] [get list watch]
roles.rbac.authorization.k8s.io [] [] [get list watch]
activehealthcheckpolicies.resilience.policy.gloo.solo.io [] [] [get list watch]
connectionpolicies.resilience.policy.gloo.solo.io [] [] [get list watch]
failoverpolicies.resilience.policy.gloo.solo.io [] [] [get list watch]
faultinjectionpolicies.resilience.policy.gloo.solo.io [] [] [get list watch]
graphqlpersistedquerycachepolicies.resilience.policy.gloo.solo.io [] [] [get list watch]
listenerconnectionpolicies.resilience.policy.gloo.solo.io [] [] [get list watch]
outlierdetectionpolicies.resilience.policy.gloo.solo.io [] [] [get list watch]
retrytimeoutpolicies.resilience.policy.gloo.solo.io [] [] [get list watch]
trimproxyconfigpolicies.resilience.policy.gloo.solo.io [] [] [get list watch]
accesspolicies.security.policy.gloo.solo.io [] [] [get list watch]
clienttlspolicies.security.policy.gloo.solo.io [] [] [get list watch]
corspolicies.security.policy.gloo.solo.io [] [] [get list watch]
csrfpolicies.security.policy.gloo.solo.io [] [] [get list watch]
dlppolicies.security.policy.gloo.solo.io [] [] [get list watch]
extauthpolicies.security.policy.gloo.solo.io [] [] [get list watch]
graphqlallowedquerypolicies.security.policy.gloo.solo.io [] [] [get list watch]
jwtpolicies.security.policy.gloo.solo.io [] [] [get list watch]
wafpolicies.security.policy.gloo.solo.io [] [] [get list watch]
headermanipulationpolicies.trafficcontrol.policy.gloo.solo.io [] [] [get list watch]
httpbufferpolicies.trafficcontrol.policy.gloo.solo.io [] [] [get list watch]
loadbalancerpolicies.trafficcontrol.policy.gloo.solo.io [] [] [get list watch]
mirrorpolicies.trafficcontrol.policy.gloo.solo.io [] [] [get list watch]
proxyprotocolpolicies.trafficcontrol.policy.gloo.solo.io [] [] [get list watch]
ratelimitclientconfigs.trafficcontrol.policy.gloo.solo.io [] [] [get list watch]
ratelimitpolicies.trafficcontrol.policy.gloo.solo.io [] [] [get list watch]
transformationpolicies.trafficcontrol.policy.gloo.solo.io [] [] [get list watch]
namespaces/status [] [] [get update]
nodes/status [] [] [get update]
serviceaccounts/status [] [] [get update]
services/status [] [] [get update]
dashboards.admin.gloo.solo.io/status [] [] [get update]
extauthservers.admin.gloo.solo.io/status [] [] [get update]
gatewaylifecyclemanagers.admin.gloo.solo.io/status [] [] [get update]
istiolifecyclemanagers.admin.gloo.solo.io/status [] [] [get update]
kubernetesclusters.admin.gloo.solo.io/status [] [] [get update]
ratelimitserverconfigs.admin.gloo.solo.io/status [] [] [get update]
ratelimitserversettings.admin.gloo.solo.io/status [] [] [get update]
roottrustpolicies.admin.gloo.solo.io/status [] [] [get update]
waypointlifecyclemanagers.admin.gloo.solo.io/status [] [] [get update]
workspaces.admin.gloo.solo.io/status [] [] [get update]
workspacesettings.admin.gloo.solo.io/status [] [] [get update]
apidocs.apimanagement.gloo.solo.io/status [] [] [get update]
apischemadiscoveries.apimanagement.gloo.solo.io/status [] [] [get update]
graphqlresolvermaps.apimanagement.gloo.solo.io/status [] [] [get update]
graphqlschemas.apimanagement.gloo.solo.io/status [] [] [get update]
graphqlstitchedschemas.apimanagement.gloo.solo.io/status [] [] [get update]
portalgroups.apimanagement.gloo.solo.io/status [] [] [get update]
portals.apimanagement.gloo.solo.io/status [] [] [get update]
daemonsets.apps/status [] [] [get update]
deployments.apps/status [] [] [get update]
statefulsets.apps/status [] [] [get update]
ciliumnetworkpolicies.cilium.io/status [] [] [get update]
authconfigs.extauth.solo.io/status [] [] [get update]
wasmdeploymentpolicies.extensions.policy.gloo.solo.io/status [] [] [get update]
gatewayclasses.gateway.networking.k8s.io/status [] [] [get update]
gateways.gateway.networking.k8s.io/status [] [] [get update]
grpcroutes.gateway.networking.k8s.io/status [] [] [get update]
httproutes.gateway.networking.k8s.io/status [] [] [get update]
referencegrants.gateway.networking.k8s.io/status [] [] [get update]
tcproutes.gateway.networking.k8s.io/status [] [] [get update]
tlsroutes.gateway.networking.k8s.io/status [] [] [get update]
udproutes.gateway.networking.k8s.io/status [] [] [get update]
cloudproviders.infrastructure.gloo.solo.io/status [] [] [get update]
cloudresources.infrastructure.gloo.solo.io/status [] [] [get update]
istiooperators.install.istio.io/status [] [] [get update]
certificaterequests.internal.gloo.solo.io/status [] [] [get update]
discoveredcnis.internal.gloo.solo.io/status [] [] [get update]
discoveredgateways.internal.gloo.solo.io/status [] [] [get update]
issuedcertificates.internal.gloo.solo.io/status [] [] [get update]
meshes.internal.gloo.solo.io/status [] [] [get update]
portalconfigs.internal.gloo.solo.io/status [] [] [get update]
spireregistrationentries.internal.gloo.solo.io/status [] [] [get update]
externalendpoints.networking.gloo.solo.io/status [] [] [get update]
externalservices.networking.gloo.solo.io/status [] [] [get update]
externalworkloads.networking.gloo.solo.io/status [] [] [get update]
routetables.networking.gloo.solo.io/status [] [] [get update]
virtualdestinations.networking.gloo.solo.io/status [] [] [get update]
virtualgateways.networking.gloo.solo.io/status [] [] [get update]
destinationrules.networking.istio.io/status [] [] [get update]
envoyfilters.networking.istio.io/status [] [] [get update]
gateways.networking.istio.io/status [] [] [get update]
serviceentries.networking.istio.io/status [] [] [get update]
sidecars.networking.istio.io/status [] [] [get update]
virtualservices.networking.istio.io/status [] [] [get update]
workloadentries.networking.istio.io/status [] [] [get update]
accesslogpolicies.observability.policy.gloo.solo.io/status [] [] [get update]
ratelimitconfigs.ratelimit.solo.io/status [] [] [get update]
clusterrolebindings.rbac.authorization.k8s.io/status [] [] [get update]
clusterroles.rbac.authorization.k8s.io/status [] [] [get update]
rolebindings.rbac.authorization.k8s.io/status [] [] [get update]
roles.rbac.authorization.k8s.io/status [] [] [get update]
activehealthcheckpolicies.resilience.policy.gloo.solo.io/status [] [] [get update]
connectionpolicies.resilience.policy.gloo.solo.io/status [] [] [get update]
failoverpolicies.resilience.policy.gloo.solo.io/status [] [] [get update]
faultinjectionpolicies.resilience.policy.gloo.solo.io/status [] [] [get update]
graphqlpersistedquerycachepolicies.resilience.policy.gloo.solo.io/status [] [] [get update]
listenerconnectionpolicies.resilience.policy.gloo.solo.io/status [] [] [get update]
outlierdetectionpolicies.resilience.policy.gloo.solo.io/status [] [] [get update]
retrytimeoutpolicies.resilience.policy.gloo.solo.io/status [] [] [get update]
trimproxyconfigpolicies.resilience.policy.gloo.solo.io/status [] [] [get update]
authorizationpolicies.security.istio.io/status [] [] [get update]
peerauthentications.security.istio.io/status [] [] [get update]
accesspolicies.security.policy.gloo.solo.io/status [] [] [get update]
clienttlspolicies.security.policy.gloo.solo.io/status [] [] [get update]
corspolicies.security.policy.gloo.solo.io/status [] [] [get update]
csrfpolicies.security.policy.gloo.solo.io/status [] [] [get update]
dlppolicies.security.policy.gloo.solo.io/status [] [] [get update]
extauthpolicies.security.policy.gloo.solo.io/status [] [] [get update]
graphqlallowedquerypolicies.security.policy.gloo.solo.io/status [] [] [get update]
jwtpolicies.security.policy.gloo.solo.io/status [] [] [get update]
wafpolicies.security.policy.gloo.solo.io/status [] [] [get update]
headermanipulationpolicies.trafficcontrol.policy.gloo.solo.io/status [] [] [get update]
httpbufferpolicies.trafficcontrol.policy.gloo.solo.io/status [] [] [get update]
loadbalancerpolicies.trafficcontrol.policy.gloo.solo.io/status [] [] [get update]
mirrorpolicies.trafficcontrol.policy.gloo.solo.io/status [] [] [get update]
proxyprotocolpolicies.trafficcontrol.policy.gloo.solo.io/status [] [] [get update]
ratelimitclientconfigs.trafficcontrol.policy.gloo.solo.io/status [] [] [get update]
ratelimitpolicies.trafficcontrol.policy.gloo.solo.io/status [] [] [get update]
transformationpolicies.trafficcontrol.policy.gloo.solo.io/status [] [] [get update]
Repeat the previous step for each component that you want to check. The following commands check all roles and cluster roles per component and pipe the output to
jqto get only the PolicyRules. Alternatively, you can check the permissions tables for each component in Review Gloo permissions.kubectl get clusterrole,role -l app=gloo-mesh-mgmt-server -A -o json | jq -r '.items[] | {Name: .metadata.name, PolicyRules: .rules} | select(.PolicyRules != null)'kubectl get clusterrole,role -l app=gloo-mesh-agent -A -o json | jq -r '.items[] | {Name: .metadata.name, PolicyRules: .rules} | select(.PolicyRules != null)'kubectl get clusterrole,role -l app=gloo-mesh-ui -A -o json | jq -r '.items[] | {Name: .metadata.name, PolicyRules: .rules} | select(.PolicyRules != null)'kubectl get clusterrole,role -l app=prometheus -A -o json | jq -r '.items[] | {Name: .metadata.name, PolicyRules: .rules} | select(.PolicyRules != null)'kubectl get clusterrole,role -l app=ext-auth-service -A -o json | jq -r '.items[] | {Name: .metadata.name, PolicyRules: .rules} | select(.PolicyRules != null)'kubectl get clusterrole,role -l app=rate-limiter -A -o json | jq -r '.items[] | {Name: .metadata.name, PolicyRules: .rules} | select(.PolicyRules != null)'kubectl get clusterrole,role -l app=gloo-mesh-portal-server -A -o json | jq -r '.items[] | {Name: .metadata.name, PolicyRules: .rules} | select(.PolicyRules != null)'kubectl get clusterrole,role -l app.kubernetes.io/instance=gloo-platform -A -o json | jq -r '.items[] | {Name: .metadata.name, PolicyRules: .rules} | select(.PolicyRules != null)'For the Istio operator used by Gloo’s Istio Lifeycle Manager.
kubectl get clusterrole,role -l gloo.solo.io/parent_name=gloo-platform -A -o json | jq -r '.items[] | {Name: .metadata.name, PolicyRules: .rules} | select(.PolicyRules != null)'For components that are installed by the Gloo Istio Lifecycle Manager, such as istiod and the Istio gateway controller.
kubectl get clusterrole,role -l install.operator.istio.io/owning-resource=gloo-platform -A -o json | jq -r '.items[] | {Name: .metadata.name, PolicyRules: .rules} | select(.PolicyRules != null)'kubectl get clusterrole,role -l operator.istio.io/component=IngressGateways -A -o json | jq -r '.items[] | {Name: .metadata.name, PolicyRules: .rules} | select(.PolicyRules != null)'Example output:
{ "Name": "istio-ingressgateway-1-18-2-sds", "PolicyRules": [ { "apiGroups": [ "" ], "resources": [ "secrets" ], "verbs": [ "get", "watch", "list" ] } ] }
Review Gloo permissions link
Review the following tables that describe the default permissions by Gloo component. For steps to check these permissions in your cluster setup, see Check default RBAC setup. For steps to modify these permission, see Restrict default permissions.
The Gloo management server needs access to many Kubernetes and all Gloo custom resources to manage Gloo resources. These actions include writing Gloo resources, managing the status of Gloo resources, writing output objects for Gloo resources such as translated Istio objects, and performing leader election when you have multiple server replicas.
| Resource | Granted by | Allowed verbs |
|---|---|---|
| configmaps | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
| namespaces | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
| pods | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
| serviceaccounts | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
| services | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
| mutatingwebhookconfigurations.admissionregistration.k8s.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
| validatingwebhookconfigurations.admissionregistration.k8s.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
| apidocs.apimanagement.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
| deployments.apps | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
| ciliumnetworkpolicies.cilium.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
| leases.coordination.k8s.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
| authconfigs.extauth.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
| gateways.gateway.networking.k8s.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
| cloudresources.infrastructure.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
| istiooperators.install.istio.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
| issuedcertificates.internal.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
| portalconfigs.internal.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
| spireregistrationentries.internal.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
| xdsconfigs.internal.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
| destinationrules.networking.istio.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
| envoyfilters.networking.istio.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
| gateways.networking.istio.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
| serviceentries.networking.istio.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
| sidecars.networking.istio.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
| virtualservices.networking.istio.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
| workloadentries.networking.istio.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
| workloadgroups.networking.istio.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
| networkpolicies.networking.k8s.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
| ratelimitconfigs.ratelimit.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
| clusterrolebindings.rbac.authorization.k8s.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
| clusterroles.rbac.authorization.k8s.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
| authorizationpolicies.security.istio.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
| peerauthentications.security.istio.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
| nodes | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| dashboards.admin.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| extauthservers.admin.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| gatewaylifecyclemanagers.admin.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| istiolifecyclemanagers.admin.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| kubernetesclusters.admin.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| ratelimitserverconfigs.admin.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| ratelimitserversettings.admin.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| roottrustpolicies.admin.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| waypointlifecyclemanagers.admin.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| workspaces.admin.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| workspacesettings.admin.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| customresourcedefinitions.apiextensions.k8s.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| apischemadiscoveries.apimanagement.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| graphqlresolvermaps.apimanagement.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| graphqlschemas.apimanagement.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| graphqlstitchedschemas.apimanagement.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| portalgroups.apimanagement.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| portals.apimanagement.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| daemonsets.apps | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| statefulsets.apps | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| wasmdeploymentpolicies.extensions.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| gatewayclasses.gateway.networking.k8s.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| grpcroutes.gateway.networking.k8s.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| httproutes.gateway.networking.k8s.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| referencegrants.gateway.networking.k8s.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| tcproutes.gateway.networking.k8s.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| tlsroutes.gateway.networking.k8s.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| udproutes.gateway.networking.k8s.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| cloudproviders.infrastructure.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| certificaterequests.internal.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| discoveredcnis.internal.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| discoveredgateways.internal.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| meshes.internal.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| externalendpoints.networking.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| externalservices.networking.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| externalworkloads.networking.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| routetables.networking.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| virtualdestinations.networking.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| virtualgateways.networking.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| accesslogpolicies.observability.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| rolebindings.rbac.authorization.k8s.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| roles.rbac.authorization.k8s.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| activehealthcheckpolicies.resilience.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| connectionpolicies.resilience.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| failoverpolicies.resilience.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| faultinjectionpolicies.resilience.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| graphqlpersistedquerycachepolicies.resilience.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| listenerconnectionpolicies.resilience.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| outlierdetectionpolicies.resilience.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| retrytimeoutpolicies.resilience.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| trimproxyconfigpolicies.resilience.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| accesspolicies.security.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| clienttlspolicies.security.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| corspolicies.security.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| csrfpolicies.security.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| dlppolicies.security.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| extauthpolicies.security.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| graphqlallowedquerypolicies.security.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| jwtpolicies.security.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| wafpolicies.security.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| headermanipulationpolicies.trafficcontrol.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| httpbufferpolicies.trafficcontrol.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| loadbalancerpolicies.trafficcontrol.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| mirrorpolicies.trafficcontrol.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| proxyprotocolpolicies.trafficcontrol.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| ratelimitclientconfigs.trafficcontrol.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| ratelimitpolicies.trafficcontrol.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| transformationpolicies.trafficcontrol.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
| namespaces/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| nodes/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| serviceaccounts/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| services/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| dashboards.admin.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| extauthservers.admin.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| gatewaylifecyclemanagers.admin.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| istiolifecyclemanagers.admin.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| kubernetesclusters.admin.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| ratelimitserverconfigs.admin.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| ratelimitserversettings.admin.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| roottrustpolicies.admin.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| waypointlifecyclemanagers.admin.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| workspaces.admin.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| workspacesettings.admin.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| apidocs.apimanagement.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| apischemadiscoveries.apimanagement.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| graphqlresolvermaps.apimanagement.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| graphqlschemas.apimanagement.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| graphqlstitchedschemas.apimanagement.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| portalgroups.apimanagement.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| portals.apimanagement.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| daemonsets.apps/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| deployments.apps/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| statefulsets.apps/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| ciliumnetworkpolicies.cilium.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| authconfigs.extauth.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| wasmdeploymentpolicies.extensions.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| gatewayclasses.gateway.networking.k8s.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| gateways.gateway.networking.k8s.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| grpcroutes.gateway.networking.k8s.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| httproutes.gateway.networking.k8s.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| referencegrants.gateway.networking.k8s.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| tcproutes.gateway.networking.k8s.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| tlsroutes.gateway.networking.k8s.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| udproutes.gateway.networking.k8s.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| cloudproviders.infrastructure.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| cloudresources.infrastructure.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| istiooperators.install.istio.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| certificaterequests.internal.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| discoveredcnis.internal.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| discoveredgateways.internal.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| issuedcertificates.internal.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| meshes.internal.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| portalconfigs.internal.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| spireregistrationentries.internal.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| externalendpoints.networking.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| externalservices.networking.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| externalworkloads.networking.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| routetables.networking.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| virtualdestinations.networking.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| virtualgateways.networking.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| destinationrules.networking.istio.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| envoyfilters.networking.istio.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| gateways.networking.istio.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| serviceentries.networking.istio.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| sidecars.networking.istio.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| virtualservices.networking.istio.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| workloadentries.networking.istio.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| accesslogpolicies.observability.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| ratelimitconfigs.ratelimit.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| clusterrolebindings.rbac.authorization.k8s.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| clusterroles.rbac.authorization.k8s.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| rolebindings.rbac.authorization.k8s.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| roles.rbac.authorization.k8s.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| activehealthcheckpolicies.resilience.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| connectionpolicies.resilience.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| failoverpolicies.resilience.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| faultinjectionpolicies.resilience.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| graphqlpersistedquerycachepolicies.resilience.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| listenerconnectionpolicies.resilience.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| outlierdetectionpolicies.resilience.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| retrytimeoutpolicies.resilience.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| trimproxyconfigpolicies.resilience.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| authorizationpolicies.security.istio.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| peerauthentications.security.istio.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| accesspolicies.security.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| clienttlspolicies.security.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| corspolicies.security.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| csrfpolicies.security.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| dlppolicies.security.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| extauthpolicies.security.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| graphqlallowedquerypolicies.security.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| jwtpolicies.security.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| wafpolicies.security.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| headermanipulationpolicies.trafficcontrol.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| httpbufferpolicies.trafficcontrol.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| loadbalancerpolicies.trafficcontrol.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| mirrorpolicies.trafficcontrol.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| proxyprotocolpolicies.trafficcontrol.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| ratelimitclientconfigs.trafficcontrol.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| ratelimitpolicies.trafficcontrol.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| transformationpolicies.trafficcontrol.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
| secrets | gloo-mesh-mgmt-server-gloo-platform-gloo-mesh-namespaced cluster role | * (all) |
| secrets/status | gloo-mesh-mgmt-server-gloo-platform-gloo-mesh-namespaced cluster role | get, update |
The Gloo agent needs access to many Kubernetes and all Gloo custom resources to manage Gloo resources in workload clusters. These actions include discovering core Kubernetes objects, writing Gloo resources, managing the status of Gloo resources, rotating certificates as needed, and performing leader election when you have multiple agent replicas. The agent also needs access to deploy, set up CRDs, and configure Kubernetes RBAC access for managing the Istio lifecycle manager (ILM).
| Resource | Granted by | Allowed verbs |
|---|---|---|
| configmaps | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
| namespaces | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
| pods | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
| serviceaccounts | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
| services | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
| mutatingwebhookconfigurations.admissionregistration.k8s.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
| validatingwebhookconfigurations.admissionregistration.k8s.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
| customresourcedefinitions.apiextensions.k8s.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
| apidocs.apimanagement.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
| deployments.apps | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
| ciliumnetworkpolicies.cilium.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
| leases.coordination.k8s.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
| authconfigs.extauth.solo.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
| gateways.gateway.networking.k8s.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
| cloudresources.infrastructure.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
| istiooperators.install.istio.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
| certificaterequests.internal.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
| discoveredcnis.internal.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
| discoveredgateways.internal.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
| issuedcertificates.internal.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
| meshes.internal.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
| podbouncedirectives.internal.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
| portalconfigs.internal.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
| spireregistrationentries.internal.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
| xdsconfigs.internal.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
| destinationrules.networking.istio.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
| envoyfilters.networking.istio.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
| gateways.networking.istio.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
| serviceentries.networking.istio.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
| sidecars.networking.istio.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
| virtualservices.networking.istio.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
| workloadentries.networking.istio.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
| workloadgroups.networking.istio.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
| networkpolicies.networking.k8s.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
| ratelimitconfigs.ratelimit.solo.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
| clusterrolebindings.rbac.authorization.k8s.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
| clusterroles.rbac.authorization.k8s.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
| authorizationpolicies.security.istio.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
| peerauthentications.security.istio.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
| nodes | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| dashboards.admin.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| extauthservers.admin.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| gatewaylifecyclemanagers.admin.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| istiolifecyclemanagers.admin.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| kubernetesclusters.admin.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| ratelimitserverconfigs.admin.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| ratelimitserversettings.admin.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| roottrustpolicies.admin.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| waypointlifecyclemanagers.admin.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| workspaces.admin.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| workspacesettings.admin.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| apischemadiscoveries.apimanagement.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| graphqlresolvermaps.apimanagement.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| graphqlschemas.apimanagement.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| graphqlstitchedschemas.apimanagement.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| portalgroups.apimanagement.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| portals.apimanagement.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| daemonsets.apps | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| replicasets.apps | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| statefulsets.apps | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| wasmdeploymentpolicies.extensions.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| cloudproviders.infrastructure.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| externalendpoints.networking.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| externalservices.networking.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| externalworkloads.networking.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| routetables.networking.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| virtualdestinations.networking.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| virtualgateways.networking.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| accesslogpolicies.observability.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| rolebindings.rbac.authorization.k8s.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| roles.rbac.authorization.k8s.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| activehealthcheckpolicies.resilience.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| connectionpolicies.resilience.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| failoverpolicies.resilience.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| faultinjectionpolicies.resilience.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| graphqlpersistedquerycachepolicies.resilience.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| listenerconnectionpolicies.resilience.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| outlierdetectionpolicies.resilience.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| retrytimeoutpolicies.resilience.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| trimproxyconfigpolicies.resilience.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| accesspolicies.security.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| clienttlspolicies.security.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| corspolicies.security.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| csrfpolicies.security.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| dlppolicies.security.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| extauthpolicies.security.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| graphqlallowedquerypolicies.security.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| jwtpolicies.security.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| wafpolicies.security.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| headermanipulationpolicies.trafficcontrol.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| httpbufferpolicies.trafficcontrol.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| loadbalancerpolicies.trafficcontrol.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| mirrorpolicies.trafficcontrol.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| proxyprotocolpolicies.trafficcontrol.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| ratelimitclientconfigs.trafficcontrol.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| ratelimitpolicies.trafficcontrol.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| transformationpolicies.trafficcontrol.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
| configmaps/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| namespaces/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| nodes/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| pods/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| serviceaccounts/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| services/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| dashboards.admin.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| extauthservers.admin.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| gatewaylifecyclemanagers.admin.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| istiolifecyclemanagers.admin.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| kubernetesclusters.admin.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| ratelimitserverconfigs.admin.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| ratelimitserversettings.admin.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| roottrustpolicies.admin.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| waypointlifecyclemanagers.admin.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| workspaces.admin.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| workspacesettings.admin.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| mutatingwebhookconfigurations.admissionregistration.k8s.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| validatingwebhookconfigurations.admissionregistration.k8s.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| apidocs.apimanagement.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| apischemadiscoveries.apimanagement.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| graphqlresolvermaps.apimanagement.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| graphqlschemas.apimanagement.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| graphqlstitchedschemas.apimanagement.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| portalgroups.apimanagement.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| portals.apimanagement.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| daemonsets.apps/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| deployments.apps/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| replicasets.apps/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| statefulsets.apps/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| ciliumnetworkpolicies.cilium.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| authconfigs.extauth.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| wasmdeploymentpolicies.extensions.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| gateways.gateway.networking.k8s.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| cloudproviders.infrastructure.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| cloudresources.infrastructure.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| istiooperators.install.istio.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| certificaterequests.internal.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| discoveredcnis.internal.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| discoveredgateways.internal.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| issuedcertificates.internal.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| meshes.internal.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| podbouncedirectives.internal.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| portalconfigs.internal.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| spireregistrationentries.internal.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| xdsconfigs.internal.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| externalendpoints.networking.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| externalservices.networking.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| externalworkloads.networking.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| routetables.networking.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| virtualdestinations.networking.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| virtualgateways.networking.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| destinationrules.networking.istio.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| envoyfilters.networking.istio.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| gateways.networking.istio.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| serviceentries.networking.istio.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| sidecars.networking.istio.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| virtualservices.networking.istio.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| workloadentries.networking.istio.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| workloadgroups.networking.istio.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| networkpolicies.networking.k8s.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| accesslogpolicies.observability.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| ratelimitconfigs.ratelimit.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| clusterrolebindings.rbac.authorization.k8s.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| clusterroles.rbac.authorization.k8s.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| activehealthcheckpolicies.resilience.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| connectionpolicies.resilience.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| failoverpolicies.resilience.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| faultinjectionpolicies.resilience.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| graphqlpersistedquerycachepolicies.resilience.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| listenerconnectionpolicies.resilience.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| outlierdetectionpolicies.resilience.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| retrytimeoutpolicies.resilience.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| trimproxyconfigpolicies.resilience.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| authorizationpolicies.security.istio.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| peerauthentications.security.istio.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| accesspolicies.security.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| clienttlspolicies.security.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| corspolicies.security.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| csrfpolicies.security.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| dlppolicies.security.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| extauthpolicies.security.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| graphqlallowedquerypolicies.security.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| jwtpolicies.security.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| wafpolicies.security.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| headermanipulationpolicies.trafficcontrol.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| httpbufferpolicies.trafficcontrol.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| loadbalancerpolicies.trafficcontrol.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| mirrorpolicies.trafficcontrol.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| proxyprotocolpolicies.trafficcontrol.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| ratelimitclientconfigs.trafficcontrol.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| ratelimitpolicies.trafficcontrol.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| transformationpolicies.trafficcontrol.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
| secrets | gloo-mesh-agent-gloo-platform-gloo-mesh-namespaced cluster role | * (all) |
| secrets/status | gloo-mesh-agent-gloo-platform-gloo-mesh-namespaced cluster role | get, update |
The Gloo UI needs access to many Kubernetes and all Gloo custom resources to display in the dashboard.
| Resource | Granted by | Allowed verbs |
|---|---|---|
| configmaps | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| namespaces | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| nodes | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| serviceaccounts | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| services | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| dashboards.admin.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| extauthservers.admin.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| gatewaylifecyclemanagers.admin.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| istiolifecyclemanagers.admin.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| kubernetesclusters.admin.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| ratelimitserverconfigs.admin.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| ratelimitserversettings.admin.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| roottrustpolicies.admin.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| waypointlifecyclemanagers.admin.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| workspaces.admin.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| workspacesettings.admin.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| apidocs.apimanagement.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| apischemadiscoveries.apimanagement.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| graphqlresolvermaps.apimanagement.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| graphqlschemas.apimanagement.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| graphqlstitchedschemas.apimanagement.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| portalgroups.apimanagement.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| portals.apimanagement.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| daemonsets.apps | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| deployments.apps | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| statefulsets.apps | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| ciliumnetworkpolicies.cilium.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| authconfigs.extauth.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| wasmdeploymentpolicies.extensions.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| gatewayclasses.gateway.networking.k8s.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| gateways.gateway.networking.k8s.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| grpcroutes.gateway.networking.k8s.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| httproutes.gateway.networking.k8s.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| referencegrants.gateway.networking.k8s.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| tcproutes.gateway.networking.k8s.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| tlsroutes.gateway.networking.k8s.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| udproutes.gateway.networking.k8s.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| cloudproviders.infrastructure.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| cloudresources.infrastructure.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| istiooperators.install.istio.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| discoveredcnis.internal.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| discoveredgateways.internal.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| meshes.internal.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| portalconfigs.internal.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| spireregistrationentries.internal.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| externalendpoints.networking.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| externalservices.networking.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| externalworkloads.networking.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| routetables.networking.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| virtualdestinations.networking.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| virtualgateways.networking.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| destinationrules.networking.istio.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| envoyfilters.networking.istio.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| gateways.networking.istio.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| serviceentries.networking.istio.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| sidecars.networking.istio.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| virtualservices.networking.istio.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| workloadentries.networking.istio.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| accesslogpolicies.observability.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| ratelimitconfigs.ratelimit.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| clusterrolebindings.rbac.authorization.k8s.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| clusterroles.rbac.authorization.k8s.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| rolebindings.rbac.authorization.k8s.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| roles.rbac.authorization.k8s.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| activehealthcheckpolicies.resilience.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| connectionpolicies.resilience.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| failoverpolicies.resilience.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| faultinjectionpolicies.resilience.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| graphqlpersistedquerycachepolicies.resilience.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| listenerconnectionpolicies.resilience.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| outlierdetectionpolicies.resilience.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| retrytimeoutpolicies.resilience.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| trimproxyconfigpolicies.resilience.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| authorizationpolicies.security.istio.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| peerauthentications.security.istio.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| accesspolicies.security.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| clienttlspolicies.security.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| corspolicies.security.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| csrfpolicies.security.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| dlppolicies.security.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| extauthpolicies.security.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| graphqlallowedquerypolicies.security.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| jwtpolicies.security.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| wafpolicies.security.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| headermanipulationpolicies.trafficcontrol.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| httpbufferpolicies.trafficcontrol.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| loadbalancerpolicies.trafficcontrol.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| mirrorpolicies.trafficcontrol.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| proxyprotocolpolicies.trafficcontrol.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| ratelimitclientconfigs.trafficcontrol.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| ratelimitpolicies.trafficcontrol.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| transformationpolicies.trafficcontrol.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
| configmaps/status | gloo-mesh-ui-gloo-mesh cluster role | get, update |
| dashboards.admin.gloo.solo.io/status | gloo-mesh-ui-gloo-mesh cluster role | get, update |
| kubernetesclusters.admin.gloo.solo.io/status | gloo-mesh-ui-gloo-mesh cluster role | get, update |
| secrets | gloo-mesh-ui-gloo-platform-gloo-mesh-namespaced cluster role | get, list, watch |
| secrets/status | gloo-mesh-ui-gloo-platform-gloo-mesh-namespaced cluster role | get, update |
The Prometheus server needs access to various resources to collect metrics for cluster components and network traffic.
| Resource | Granted by | Allowed verbs |
|---|---|---|
| configmaps | prometheus-server cluster role | get, list, watch |
| endpoints | prometheus-server cluster role | get, list, watch |
| ingresses | prometheus-server cluster role | get, list, watch |
| nodes/metrics | prometheus-server cluster role | get, list, watch |
| nodes/proxy | prometheus-server cluster role | get, list, watch |
| nodes | prometheus-server cluster role | get, list, watch |
| pods | prometheus-server cluster role | get, list, watch |
| services | prometheus-server cluster role | get, list, watch |
| ingresses.extensions/status | prometheus-server cluster role | get, list, watch |
| ingresses.extensions | prometheus-server cluster role | get, list, watch |
| ingresses.networking.k8s.io/status | prometheus-server cluster role | get, list, watch |
| ingresses.networking.k8s.io | prometheus-server cluster role | get, list, watch |
| /metrics | prometheus-server cluster role | get |
The external auth service needs access to several Kubernetes and Gloo custom resources to enforce authentication on requests. For example, config maps and secrets might have information that the external auth service needs to authenticate requests, such as an API key. Other resources such as leases are used for leader election when you have multiple replicas.
| Resource | Granted by | Allowed verbs |
|---|---|---|
| events | ext-auth-service-gloo-mesh cluster role | * (all) |
| leases.coordination.k8s.io | ext-auth-service-gloo-mesh cluster role | * (all) |
| configmaps | ext-auth-service-gloo-mesh cluster role | get, list, watch |
| authconfigs.extauth.solo.io | ext-auth-service-gloo-mesh cluster role | get, list, watch |
| authconfigs.extauth.solo.io/status | ext-auth-service-gloo-mesh cluster role | get, update |
| secrets | ext-auth-service-gloo-platform-gloo-mesh-namespaced cluster role | get, list, watch |
The rate limiter needs access to Gloo custom resources to configure rate limiting on requests.
| Resource | Granted by | Allowed verbs |
|---|---|---|
| ratelimitconfigs.ratelimit.solo.io | rate-limiter cluster role | get, list, watch |
| ratelimitconfigs.ratelimit.solo.io/status | rate-limiter cluster role | get, update |
The Gloo portal server needs access to Gloo custom resources to display API products in an end-user facing developer portal.
| Resource | Granted by | Allowed verbs |
|---|---|---|
| apidocs.apimanagement.gloo.solo.io | gloo-mesh-portal-server-gloo-mesh-addons cluster role | get, list, watch |
| portalconfigs.internal.gloo.solo.io | gloo-mesh-portal-server-gloo-mesh-addons cluster role | get, list, watch |
The OpenTelemetry (OTel) gateways and collectors need access to various resources to collect metrics, logs, and traces for the components in your cluster.
| Resource | Granted by | Allowed verbs |
|---|---|---|
| configmaps | gloo-telemetry-* cluster roles | get, list, watch |
| endpoints | gloo-telemetry-* cluster roles | get, list, watch |
| ingresses | gloo-telemetry-* cluster roles | get, list, watch |
| nodes/metrics | gloo-telemetry-* cluster roles | get, list, watch |
| nodes/proxy | gloo-telemetry-* cluster roles | get, list, watch |
| nodes | gloo-telemetry-* cluster roles | get, list, watch |
| pods | gloo-telemetry-* cluster roles | get, list, watch |
| services | gloo-telemetry-* cluster roles | get, list, watch |
| ingresses.extensions/status | gloo-telemetry-* cluster roles | get, list, watch |
| ingresses.extensions | gloo-telemetry-* cluster roles | get, list, watch |
| ingresses.networking.k8s.io/status | gloo-telemetry-* cluster roles | get, list, watch |
| ingresses.networking.k8s.io | gloo-telemetry-* cluster roles | get, list, watch |
/metrics endpoint | gloo-telemetry-* cluster roles | get |
The Istio operator that is used by the Gloo Istio Lifecycle Manager needs access to various resources such as Istio as well as Kubernetes resources to deploy Istio.
| Resource | Granted by | Allowed verbs |
|---|---|---|
| configmaps | istio-operator-* cluster role | * (all) |
| endpoints | istio-operator-* cluster role | * (all) |
| events | istio-operator-* cluster role | * (all) |
| namespaces | istio-operator-* cluster role | * (all) |
| persistentvolumeclaims | istio-operator-* cluster role | * (all) |
| pods/portforward | istio-operator-* cluster role | * (all) |
| pods/proxy | istio-operator-* cluster role | * (all) |
| pods | istio-operator-* cluster role | * (all) |
| secrets | istio-operator-* cluster role | * (all) |
| serviceaccounts | istio-operator-* cluster role | * (all) |
| services | istio-operator-* cluster role | * (all) |
| mutatingwebhookconfigurations.admissionregistration.k8s.io | istio-operator-* cluster role | * (all) |
| validatingwebhookconfigurations.admissionregistration.k8s.io | istio-operator-* cluster role | * (all) |
| customresourcedefinitions.apiextensions.k8s.io.apiextensions.k8s.io | istio-operator-* cluster role | * (all) |
| customresourcedefinitions.apiextensions.k8s.io | istio-operator-* cluster role | * (all) |
| daemonsets.apps | istio-operator-* cluster role | * (all) |
| deployments.apps/finalizers | istio-operator-* cluster role | * (all) |
| deployments.apps | istio-operator-* cluster role | * (all) |
| replicasets.apps | istio-operator-* cluster role | * (all) |
| *.authentication.istio.io | istio-operator-* cluster role | * (all) |
| horizontalpodautoscalers.autoscaling | istio-operator-* cluster role | * (all) |
| *.config.istio.io | istio-operator-* cluster role | * (all) |
| daemonsets.extensions | istio-operator-* cluster role | * (all) |
| deployments.extensions/finalizers | istio-operator-* cluster role | * (all) |
| deployments.extensions | istio-operator-* cluster role | * (all) |
| replicasets.extensions | istio-operator-* cluster role | * (all) |
| *.install.istio.io | istio-operator-* cluster role | * (all) |
| *.networking.istio.io | istio-operator-* cluster role | * (all) |
| poddisruptionbudgets.policy | istio-operator-* cluster role | * (all) |
| clusterrolebindings.rbac.authorization.k8s.io | istio-operator-* cluster role | * (all) |
| clusterroles.rbac.authorization.k8s.io | istio-operator-* cluster role | * (all) |
| rolebindings.rbac.authorization.k8s.io | istio-operator-* cluster role | * (all) |
| roles.rbac.authorization.k8s.io | istio-operator-* cluster role | * (all) |
| *.security.istio.io | istio-operator-* cluster role | * (all) |
| leases.coordination.k8s.io | istio-operator-* cluster role | get, create, update |
| servicemonitors.monitoring.coreos.com | istio-operator-* cluster role | get, create, update |
Istio is automatically set up when you install Gloo Mesh Gateway to manage Envoy-based proxies such as the Istio ingress gateway. Istiod needs access to all of the Istio custom resources to manage Istio. It also needs access to some Kubernetes resources to deploy the gateway, manage secrets for mutual TLS, or inject sidecars as needed.
| Resource | Granted by | Allowed verbs |
|---|---|---|
| secrets | istiod-* roles in istio-system namespace | create, get, watch, list, update, delete |
| gateways | istiod-* roles in istio-system namespace | create |
| configmaps | Versioned istiod role in istio-system namespace | delete |
| leases | Versioned istiod role in istio-system namespace | get, update, patch, create |
| tokenreviews.authentication.k8s.io | istio-reader-* cluster roles | create |
| subjectaccessreviews.authorization.k8s.io | istio-reader-* cluster roles | create |
| serviceexports.multicluster.x-k8s.io | istio-reader-* cluster roles | get, list, watch, create, delete |
| endpoints | istio-reader-* cluster roles | get, list, watch |
| namespaces | istio-reader-* cluster roles | get, list, watch |
| nodes | istio-reader-* cluster roles | get, list, watch |
| pods | istio-reader-* cluster roles | get, list, watch |
| replicationcontrollers | istio-reader-* cluster roles | get, list, watch |
| secrets | istio-reader-* cluster roles | get, list, watch |
| services | istio-reader-* cluster roles | get, list, watch |
| customresourcedefinitions.apiextensions.k8s.io | istio-reader-* cluster roles | get, list, watch |
| replicasets.apps | istio-reader-* cluster roles | get, list, watch |
| *.authentication.istio.io | istio-reader-* cluster roles | get, list, watch |
| *.config.istio.io | istio-reader-* cluster roles | get, list, watch |
| endpointslices.discovery.k8s.io | istio-reader-* cluster roles | get, list, watch |
| serviceimports.multicluster.x-k8s.io | istio-reader-* cluster roles | get, list, watch |
| *.networking.istio.io | istio-reader-* cluster roles | get, list, watch |
| *.rbac.istio.io | istio-reader-* cluster roles | get, list, watch |
| *.security.istio.io | istio-reader-* cluster roles | get, list, watch |
| workloadentries.networking.istio.io | istio-reader-* cluster roles | get, watch, list |
| ingresses.networking.k8s.io/status | istiod-* cluster roles | * (all) |
| signers.certificates. | istiod-* cluster roles | approve |
| configmaps | istiod-* cluster roles | create, get, list, watch, update |
| gatewayclasses.gateway.networking.k8s.io | istiod-* cluster roles | create, update, patch, delete |
| tokenreviews.authentication.k8s.io | istiod-* cluster roles | create |
| subjectaccessreviews.authorization.k8s.io | istiod-* cluster roles | create |
| mutatingwebhookconfigurations.admissionregistration.k8s.io | istiod-* cluster roles | get, list, watch update patch |
| validatingwebhookconfigurations.admissionregistration.k8s.io | istiod-* cluster roles | get, list, watch update |
| endpoints | istiod-* cluster roles | get, list, watch |
| namespaces | istiod-* cluster roles | get, list, watch |
| nodes | istiod-* cluster roles | get, list, watch |
| pods | istiod-* cluster roles | get, list, watch |
| services | istiod-* cluster roles | get, list, watch |
| customresourcedefinitions.apiextensions.k8s.io | istiod-* cluster roles | get, list, watch |
| endpointslices.discovery.k8s.io | istiod-* cluster roles | get, list, watch |
| ingressclasses.networking.k8s.io | istiod-* cluster roles | get, list, watch |
| ingresses.networking.k8s.io | istiod-* cluster roles | get, list, watch |
| serviceexports.multicluster.x-k8s.io | istiod-* cluster roles | get, watch, list create delete |
| workloadentries.networking.istio.io/status | istiod-* cluster roles | get watch, list, update, patch, create, delete |
| workloadentries.networking.istio.io | istiod-* cluster roles | get watch, list, update, patch, create, delete |
| *.gateway.networking.k8s.io | istiod-* cluster roles | get, watch, list update patch |
| *.networking.x-k8s.io | istiod-* cluster roles | get, watch, list update patch |
| secrets | istiod-* cluster roles | get, watch, list |
| *.authentication.istio.io | istiod-* cluster roles | get, watch, list |
| *.config.istio.io | istiod-* cluster roles | get, watch, list |
| *.extensions.istio.io | istiod-* cluster roles | get, watch, list |
| serviceimports.multicluster.x-k8s.io | istiod-* cluster roles | get, watch, list |
| *.networking.istio.io | istiod-* cluster roles | get, watch, list |
| *.rbac.istio.io | istiod-* cluster roles | get, watch, list |
| *.security.istio.io | istiod-* cluster roles | get, watch, list |
| *.telemetry.istio.io | istiod-* cluster roles | get, watch, list |
| certificatesigningrequests.certificates.k8s.io/approval | istiod-* cluster roles | update, create, get, delete, watch |
| certificatesigningrequests.certificates.k8s.io/status | istiod-* cluster roles | update, create, get, delete, watch |
| certificatesigningrequests.certificates.k8s.io | istiod-* cluster roles | update, create, get, delete, watch |
| serviceaccounts | istiod-* cluster roles | get watch, list, update, patch, create, delete |
| services | istiod-* cluster roles | get watch, list, update, patch, create, delete |
| deployments.apps | istiod-* cluster roles | get watch, list, update, patch, create, delete |
By default, Gloo Gateway sets up one Istio ingress gateway in the gloo-mesh-gateways namespace. You can also set up multiple Istio ingress gateways to back your Gloo virtual gateways. The gateway needs to check secrets such as certs to secure traffic via an HTTPS listener.
| Resource | Granted by | Allowed verbs |
|---|---|---|
| Secrets | Versioned gateway role in the gateway namespace, such as gloo-mesh-gateways | get, watch, list |
Restrict default permissions link
You can restrict the permissions for select Gloo components. By default, Gloo components use Kubernetes cluster roles and cluster role bindings to get access to resources on a cluster-wide level. To restrict these permissions, configure the namespacedRbac Helm option for select Gloo components during your Gloo installation or upgrade.
- Default behavior without
namespacedRbac: Gloo creates separate cluster roles and cluster role bindings per component for the resources that can and cannot be restricted to namespaces. For resources that can be restricted by namespace, the cluster role and cluster role bindings have*-namespacedin their name. - With
namespacedRbac: Gloo creates roles and role bindings per component for the restricted resources in the selected namespaces, such asgloo-mesh. These roles and role bindings have*-namespacedin their name, such asgloo-mesh-mgmt-server-gloo-platform-gloo-mesh-namespaced. Gloo still creates a cluster role and cluster role binding per component for all the other resources that the component needs access to.
warning
Namespaced RBAC for select components is available for versions 2.3.19, 2.4.4, or 2.5 and later. Do not otherwise try to modify the default permissions by editing the Kubernetes cluster role or role for each component. Modifying the permissions can lead to unexpected results. If you need to modify other permissions such as for security compliance reasons, contact Support with your use case.
Gloo components that you can restrict access for:
- Gloo management server
- Gloo agent
- Gloo UI
- External auth service
Resources that you can restrict access to:
- Kubernetes secrets
At a minimum, you must allow access to the following namespaces for each Gloo component:
gloo-mesh, or if you used a different name, the namespace that your management server, UI, and agent are deployed to.gloo-mesh-addons, or if you used a different name, the namespace that your add-on components such as the external auth service, rate limiter, or developer portal are deployed to. Depending on your setup, you might have all of these Gloo components together in a single namespace, such asgloo-mesh.
info
The following steps upgrade an existing Helm release to restrict the permissions of the management server, agent, UI, and external auth service for Kubernetes secrets to Gloo namespaces only. The steps do not upgrade the Gloo management server or agent versions or otherwise change the components.
Check the Helm releases in your cluster. Depending on your installation method, you either have only a main installation release (such as
gloo-platform), or a main installation and a separate add-ons release (such asgloo-agent-addons), in addition to your CRDs release.helm ls -AGet your current installation values.
If you have only one release for your installation, get those values. Note that your Helm release might have a different name.
helm get values gloo-platform -n gloo-mesh -o yaml > gloo-single.yaml open gloo-single.yamlIf you have a separate add-ons release, get those values.
helm get values gloo-agent-addons -n gloo-mesh-addons -o yaml > gloo-agent-addons.yaml open gloo-agent-addons.yaml
Add the following settings in the sections for each component that you want to restrict Kubernetes RBAC permissions to namespaces. Keep in mind the following points:
- You can restrict only Kubernetes secrets.
- You must include the namespaces that the Gloo components are deployed to, such as
gloo-meshandgloo-mesh-addons. If your namespaces have different names, replace these values. - You add these values along with all the rest of the values in your Helm configuration file.
glooMgmtServer: enabled: true namespacedRbac: - resources: - secrets namespaces: - gloo-mesh - gloo-mesh-addons ...glooAgent: enabled: true namespacedRbac: - resources: - secrets namespaces: - gloo-mesh - gloo-mesh-addons ...glooUi: enabled: true namespacedRbac: - resources: - secrets namespaces: - gloo-mesh - gloo-mesh-addonsextAuthService: enabled: true extAuth: namespacedRbac: - resources: - secrets namespaces: - gloo-mesh - gloo-mesh-addons ...clickhouse: enabled: true glooAgent: enabled: true relay: serverAddress: gloo-mesh-mgmt-server.gloo-mesh:9900 namespacedRbac: - resources: - secrets namespaces: - gloo-mesh - gloo-mesh-addons glooMgmtServer: serviceType: ClusterIP registerCluster: true enabled: true createGlobalWorkspace: true namespacedRbac: - resources: - secrets namespaces: - gloo-mesh - gloo-mesh-addons glooUi: enabled: true namespacedRbac: - resources: - secrets namespaces: - gloo-mesh - gloo-mesh-addons istioInstallations: controlPlane: enabled: true installations: - istioOperatorSpec: meshConfig: accessLogFile: /dev/stdout accessLogEncoding: JSON accessLogFormat: | { "timestamp": "%START_TIME%", "server_name": "%REQ(:AUTHORITY)%", "response_duration": "%DURATION%", "request_command": "%REQ(:METHOD)%", "request_uri": "%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%", "request_protocol": "%PROTOCOL%", "status_code": "%RESPONSE_CODE%", "client_address": "%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%", "x_forwarded_for": "%REQ(X-FORWARDED-FOR)%", "bytes_sent": "%BYTES_SENT%", "bytes_received": "%BYTES_RECEIVED%", "user_agent": "%REQ(USER-AGENT)%", "downstream_local_address": "%DOWNSTREAM_LOCAL_ADDRESS%", "requested_server_name": "%REQUESTED_SERVER_NAME%", "request_id": "%REQ(X-REQUEST-ID)%", "response_flags": "%RESPONSE_FLAGS%", "route_name": "%ROUTE_NAME%", "upstream_cluster": "%UPSTREAM_CLUSTER%", "upstream_host": "%UPSTREAM_HOST%", "upstream_local_address": "%UPSTREAM_LOCAL_ADDRESS%", "upstream_service_time": "%REQ(x-envoy-upstream-service-time)%", "upstream_transport_failure_reason": "%UPSTREAM_TRANSPORT_FAILURE_REASON%", "correlation_id": "%REQ(X-CORRELATION-ID)%", "user_id": "%DYNAMIC_METADATA(envoy.filters.http.ext_authz:userId)%", "api_id": "%DYNAMIC_METADATA(io.solo.gloo.apimanagement:api_id)%", "api_product_id": "%DYNAMIC_METADATA(io.solo.gloo.apimanagement:api_product_id)%", "api_product_name": "%DYNAMIC_METADATA(io.solo.gloo.apimanagement:api_product_name)%", "usage_plan": "%DYNAMIC_METADATA(envoy.filters.http.ext_authz:usagePlan)%", "custom_metadata": "%DYNAMIC_METADATA(io.solo.gloo.apimanagement:custom_metadata)%" } revision: auto enabled: true northSouthGateways: - enabled: true installations: - gatewayRevision: auto istioOperatorSpec: {} name: istio-ingressgateway telemetryCollector: presets: logsCollection: enabled: true storeCheckpoints: true enabled: true config: exporters: otlp: endpoint: gloo-telemetry-gateway.gloo-mesh:4317 telemetryCollectorCustomization: pipelines: logs/istio_access_logs: enabled: true prometheus: enabled: true redis: deployment: enabled: true telemetryGateway: enabled: true service: type: ClusterIP extraEnvs: - name: CLICKHOUSE_PASSWORD valueFrom: secretKeyRef: key: password name: clickhouse-auth telemetryGatewayCustomization: pipelines: logs/clickhouse: enabled: true extraExporters: clickhouse: password: "${env:CLICKHOUSE_PASSWORD}" extAuthService: enabled: true extAuth: namespacedRbac: - resources: - secrets namespaces: - gloo-mesh - gloo-mesh-addons apiKeyStorage: name: redis enabled: true config: host: "redis.gloo-mesh-addons:6379" db: 0 secretKey: "ThisIsSecret" glooPortalServer: enabled: true apiKeyStorage: redis: enabled: true address: redis.gloo-mesh-addons:6379 configPath: /etc/redis-client-config/config.yaml secretKey: "ThisIsSecret" rateLimiter: enabled: trueUpgrade your Helm release with the namespaced RBAC restrictions. Be sure to include the Helm values file (
$VALUES_FILE) that you previously created and the Gloo version of your current installation ($GLOO_VERSION).If you have only one release for your installation, upgrade the
gloo-platformrelease. Note that your Helm release might have a different name.helm upgrade -i gloo-platform gloo-platform/gloo-platform \ --namespace gloo-mesh \ --create-namespace \ --values $VALUES_FILE \ --version $GLOO_VERSIONIf you have a separate add-ons release, upgrade the
gloo-agent-addonsrelease.helm upgrade -i gloo-agent-addons gloo-platform/gloo-platform \ --namespace gloo-mesh-addons \ --create-namespace \ --values $VALUES_FILE \ --version $GLOO_VERSION
Verify that your Gloo environment is healthy. Note that this check might take a few seconds to complete.
meshctl checkConfirm that the permissions are correct by checking the RBAC setup.