Gloo component permissions
Review the default Kubernetes role-based access control (RBAC) permissions of Gloo and Gloo-deployed components.
When you install a Gloo product, you deploy several core components, such as the management server, Gloo UI, and agent. For more information about the components, see the architecture.
These components might come with a default set of permissions granted by Kubernetes RBAC cluster roles and roles. Some components that do not need Kubernetes permissions, such as Redis database, do not have Kubernetes RBAC resources. Other components, such as the management server, agent, and UI, might have several cluster roles that are used to scope certain permissions on sensitive resources such as secrets to namespaces.
Check the RBAC setup link
In Kubernetes RBAC, roles and cluster roles configure a set of permissions, such as to view or modify Kubernetes objects. Role bindings and cluster role bindings bind these permissions to a subject in Kubernetes, such as a service account. For more information, see the Kubernetes docs. Most Gloo components have their own Kubernetes service accounts, roles or cluster roles, and role bindings or cluster role bindings.
To check the RBAC setup for each component, you can run the following commands. Alternatively, you can check the permissions tables for each component in Review Gloo permissions.
When you install Gloo Network with Helm, you set a release name, such as gloo-platform
. If you used a different release name, update the commands accordingly, such as -l app.kubernetes.io/instance=gloo-platform
to -l app.kubernetes.io/instance=$RELEASE
.
Get the Kubernetes RBAC resources for the Gloo component that you want to check.
kubectl get clusterroles,clusterrolebindings,roles,rolebindings,serviceaccounts -A -l app=gloo-mesh-mgmt-server
kubectl get clusterroles,clusterrolebindings,roles,rolebindings,serviceaccounts -A -l app=gloo-mesh-agent
kubectl get clusterroles,clusterrolebindings,roles,rolebindings,serviceaccounts -A -l app=gloo-mesh-ui
kubectl get clusterroles,clusterrolebindings,roles,rolebindings,serviceaccounts -A -l app=prometheus
For optional components that are installed by Gloo via Helm, such as the OpenTelemetry (OTel) gateways and collectors.
kubectl get clusterroles,clusterrolebindings,roles,rolebindings,serviceaccounts -A -l app.kubernetes.io/name=telemetryCollector
Check the role binding or cluster role binding for the component. Make sure that the role or cluster role in the Role section and the service account in the Subjects section match the names for the Gloo component in the output from the previous step.
kubectl describe clusterrolebinding gloo-mesh-mgmt-server-gloo-mesh
Example output: The cluster role binding grants the
gloo-mesh-mgmt-server
service account access in thegloo-mesh
namespace with thegloo-mesh-mgmt-server-gloo-mesh
cluster role.Role: Kind: ClusterRole Name: gloo-mesh-mgmt-server-gloo-mesh Subjects: Kind Name Namespace ---- ---- --------- ServiceAccount gloo-mesh-mgmt-server gloo-mesh
Get the details of a cluster role or role. Check the PolicyRule in each role or cluster role to review specific permissions.
infoThe following example shows how the management server can have both roles and cluster roles if you restrict its permissions. Some other Gloo components might have only roles or cluster roles, depending on your setup.kubectl describe role -n gloo-mesh gloo-mesh-mgmt-server-gloo-mesh-gloo-mesh-namespaced
Example output: The roles grant the Gloo management server access to Kubernetes secrets. Because the roles that you described are scoped to the
gloo-mesh
namespace, the management server can access secrets in the those namespaces only.PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- secrets [] [] [*] secrets/status [] [] [get, update]
kubectl describe clusterrole gloo-mesh-mgmt-server-gloo-mesh
Example output: The default Kubernetes RBAC for the management server normally includes access to secrets. However, in this example, you restricted access to only the
gloo-mesh
namespace through roles and role bindings. Therefore, the cluster role no longer has access to secrets.PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- configmaps [] [] [*] namespaces [] [] [*] pods [] [] [*] serviceaccounts [] [] [*] services [] [] [*] mutatingwebhookconfigurations.admissionregistration.k8s.io [] [] [*] validatingwebhookconfigurations.admissionregistration.k8s.io [] [] [*] apidocs.apimanagement.gloo.solo.io [] [] [*] deployments.apps [] [] [*] ciliumnetworkpolicies.cilium.io [] [] [*] leases.coordination.k8s.io [] [] [*] authconfigs.extauth.solo.io [] [] [*] gateways.gateway.networking.k8s.io [] [] [*] cloudresources.infrastructure.gloo.solo.io [] [] [*] istiooperators.install.istio.io [] [] [*] issuedcertificates.internal.gloo.solo.io [] [] [*] portalconfigs.internal.gloo.solo.io [] [] [*] spireregistrationentries.internal.gloo.solo.io [] [] [*] xdsconfigs.internal.gloo.solo.io [] [] [*] destinationrules.networking.istio.io [] [] [*] envoyfilters.networking.istio.io [] [] [*] gateways.networking.istio.io [] [] [*] serviceentries.networking.istio.io [] [] [*] sidecars.networking.istio.io [] [] [*] virtualservices.networking.istio.io [] [] [*] workloadentries.networking.istio.io [] [] [*] workloadgroups.networking.istio.io [] [] [*] networkpolicies.networking.k8s.io [] [] [*] ratelimitconfigs.ratelimit.solo.io [] [] [*] clusterrolebindings.rbac.authorization.k8s.io [] [] [*] clusterroles.rbac.authorization.k8s.io [] [] [*] authorizationpolicies.security.istio.io [] [] [*] peerauthentications.security.istio.io [] [] [*] nodes [] [] [get list watch] dashboards.admin.gloo.solo.io [] [] [get list watch] extauthservers.admin.gloo.solo.io [] [] [get list watch] gatewaylifecyclemanagers.admin.gloo.solo.io [] [] [get list watch] istiolifecyclemanagers.admin.gloo.solo.io [] [] [get list watch] kubernetesclusters.admin.gloo.solo.io [] [] [get list watch] ratelimitserverconfigs.admin.gloo.solo.io [] [] [get list watch] ratelimitserversettings.admin.gloo.solo.io [] [] [get list watch] roottrustpolicies.admin.gloo.solo.io [] [] [get list watch] waypointlifecyclemanagers.admin.gloo.solo.io [] [] [get list watch] workspaces.admin.gloo.solo.io [] [] [get list watch] workspacesettings.admin.gloo.solo.io [] [] [get list watch] customresourcedefinitions.apiextensions.k8s.io [] [] [get list watch] apischemadiscoveries.apimanagement.gloo.solo.io [] [] [get list watch] graphqlresolvermaps.apimanagement.gloo.solo.io [] [] [get list watch] graphqlschemas.apimanagement.gloo.solo.io [] [] [get list watch] graphqlstitchedschemas.apimanagement.gloo.solo.io [] [] [get list watch] portalgroups.apimanagement.gloo.solo.io [] [] [get list watch] portals.apimanagement.gloo.solo.io [] [] [get list watch] daemonsets.apps [] [] [get list watch] statefulsets.apps [] [] [get list watch] wasmdeploymentpolicies.extensions.policy.gloo.solo.io [] [] [get list watch] gatewayclasses.gateway.networking.k8s.io [] [] [get list watch] grpcroutes.gateway.networking.k8s.io [] [] [get list watch] httproutes.gateway.networking.k8s.io [] [] [get list watch] referencegrants.gateway.networking.k8s.io [] [] [get list watch] tcproutes.gateway.networking.k8s.io [] [] [get list watch] tlsroutes.gateway.networking.k8s.io [] [] [get list watch] udproutes.gateway.networking.k8s.io [] [] [get list watch] cloudproviders.infrastructure.gloo.solo.io [] [] [get list watch] certificaterequests.internal.gloo.solo.io [] [] [get list watch] discoveredcnis.internal.gloo.solo.io [] [] [get list watch] discoveredgateways.internal.gloo.solo.io [] [] [get list watch] meshes.internal.gloo.solo.io [] [] [get list watch] externalendpoints.networking.gloo.solo.io [] [] [get list watch] externalservices.networking.gloo.solo.io [] [] [get list watch] externalworkloads.networking.gloo.solo.io [] [] [get list watch] routetables.networking.gloo.solo.io [] [] [get list watch] virtualdestinations.networking.gloo.solo.io [] [] [get list watch] virtualgateways.networking.gloo.solo.io [] [] [get list watch] accesslogpolicies.observability.policy.gloo.solo.io [] [] [get list watch] rolebindings.rbac.authorization.k8s.io [] [] [get list watch] roles.rbac.authorization.k8s.io [] [] [get list watch] activehealthcheckpolicies.resilience.policy.gloo.solo.io [] [] [get list watch] connectionpolicies.resilience.policy.gloo.solo.io [] [] [get list watch] failoverpolicies.resilience.policy.gloo.solo.io [] [] [get list watch] faultinjectionpolicies.resilience.policy.gloo.solo.io [] [] [get list watch] graphqlpersistedquerycachepolicies.resilience.policy.gloo.solo.io [] [] [get list watch] listenerconnectionpolicies.resilience.policy.gloo.solo.io [] [] [get list watch] outlierdetectionpolicies.resilience.policy.gloo.solo.io [] [] [get list watch] retrytimeoutpolicies.resilience.policy.gloo.solo.io [] [] [get list watch] trimproxyconfigpolicies.resilience.policy.gloo.solo.io [] [] [get list watch] accesspolicies.security.policy.gloo.solo.io [] [] [get list watch] clienttlspolicies.security.policy.gloo.solo.io [] [] [get list watch] corspolicies.security.policy.gloo.solo.io [] [] [get list watch] csrfpolicies.security.policy.gloo.solo.io [] [] [get list watch] dlppolicies.security.policy.gloo.solo.io [] [] [get list watch] extauthpolicies.security.policy.gloo.solo.io [] [] [get list watch] graphqlallowedquerypolicies.security.policy.gloo.solo.io [] [] [get list watch] jwtpolicies.security.policy.gloo.solo.io [] [] [get list watch] wafpolicies.security.policy.gloo.solo.io [] [] [get list watch] headermanipulationpolicies.trafficcontrol.policy.gloo.solo.io [] [] [get list watch] httpbufferpolicies.trafficcontrol.policy.gloo.solo.io [] [] [get list watch] loadbalancerpolicies.trafficcontrol.policy.gloo.solo.io [] [] [get list watch] mirrorpolicies.trafficcontrol.policy.gloo.solo.io [] [] [get list watch] proxyprotocolpolicies.trafficcontrol.policy.gloo.solo.io [] [] [get list watch] ratelimitclientconfigs.trafficcontrol.policy.gloo.solo.io [] [] [get list watch] ratelimitpolicies.trafficcontrol.policy.gloo.solo.io [] [] [get list watch] transformationpolicies.trafficcontrol.policy.gloo.solo.io [] [] [get list watch] namespaces/status [] [] [get update] nodes/status [] [] [get update] serviceaccounts/status [] [] [get update] services/status [] [] [get update] dashboards.admin.gloo.solo.io/status [] [] [get update] extauthservers.admin.gloo.solo.io/status [] [] [get update] gatewaylifecyclemanagers.admin.gloo.solo.io/status [] [] [get update] istiolifecyclemanagers.admin.gloo.solo.io/status [] [] [get update] kubernetesclusters.admin.gloo.solo.io/status [] [] [get update] ratelimitserverconfigs.admin.gloo.solo.io/status [] [] [get update] ratelimitserversettings.admin.gloo.solo.io/status [] [] [get update] roottrustpolicies.admin.gloo.solo.io/status [] [] [get update] waypointlifecyclemanagers.admin.gloo.solo.io/status [] [] [get update] workspaces.admin.gloo.solo.io/status [] [] [get update] workspacesettings.admin.gloo.solo.io/status [] [] [get update] apidocs.apimanagement.gloo.solo.io/status [] [] [get update] apischemadiscoveries.apimanagement.gloo.solo.io/status [] [] [get update] graphqlresolvermaps.apimanagement.gloo.solo.io/status [] [] [get update] graphqlschemas.apimanagement.gloo.solo.io/status [] [] [get update] graphqlstitchedschemas.apimanagement.gloo.solo.io/status [] [] [get update] portalgroups.apimanagement.gloo.solo.io/status [] [] [get update] portals.apimanagement.gloo.solo.io/status [] [] [get update] daemonsets.apps/status [] [] [get update] deployments.apps/status [] [] [get update] statefulsets.apps/status [] [] [get update] ciliumnetworkpolicies.cilium.io/status [] [] [get update] authconfigs.extauth.solo.io/status [] [] [get update] wasmdeploymentpolicies.extensions.policy.gloo.solo.io/status [] [] [get update] gatewayclasses.gateway.networking.k8s.io/status [] [] [get update] gateways.gateway.networking.k8s.io/status [] [] [get update] grpcroutes.gateway.networking.k8s.io/status [] [] [get update] httproutes.gateway.networking.k8s.io/status [] [] [get update] referencegrants.gateway.networking.k8s.io/status [] [] [get update] tcproutes.gateway.networking.k8s.io/status [] [] [get update] tlsroutes.gateway.networking.k8s.io/status [] [] [get update] udproutes.gateway.networking.k8s.io/status [] [] [get update] cloudproviders.infrastructure.gloo.solo.io/status [] [] [get update] cloudresources.infrastructure.gloo.solo.io/status [] [] [get update] istiooperators.install.istio.io/status [] [] [get update] certificaterequests.internal.gloo.solo.io/status [] [] [get update] discoveredcnis.internal.gloo.solo.io/status [] [] [get update] discoveredgateways.internal.gloo.solo.io/status [] [] [get update] issuedcertificates.internal.gloo.solo.io/status [] [] [get update] meshes.internal.gloo.solo.io/status [] [] [get update] portalconfigs.internal.gloo.solo.io/status [] [] [get update] spireregistrationentries.internal.gloo.solo.io/status [] [] [get update] externalendpoints.networking.gloo.solo.io/status [] [] [get update] externalservices.networking.gloo.solo.io/status [] [] [get update] externalworkloads.networking.gloo.solo.io/status [] [] [get update] routetables.networking.gloo.solo.io/status [] [] [get update] virtualdestinations.networking.gloo.solo.io/status [] [] [get update] virtualgateways.networking.gloo.solo.io/status [] [] [get update] destinationrules.networking.istio.io/status [] [] [get update] envoyfilters.networking.istio.io/status [] [] [get update] gateways.networking.istio.io/status [] [] [get update] serviceentries.networking.istio.io/status [] [] [get update] sidecars.networking.istio.io/status [] [] [get update] virtualservices.networking.istio.io/status [] [] [get update] workloadentries.networking.istio.io/status [] [] [get update] accesslogpolicies.observability.policy.gloo.solo.io/status [] [] [get update] ratelimitconfigs.ratelimit.solo.io/status [] [] [get update] clusterrolebindings.rbac.authorization.k8s.io/status [] [] [get update] clusterroles.rbac.authorization.k8s.io/status [] [] [get update] rolebindings.rbac.authorization.k8s.io/status [] [] [get update] roles.rbac.authorization.k8s.io/status [] [] [get update] activehealthcheckpolicies.resilience.policy.gloo.solo.io/status [] [] [get update] connectionpolicies.resilience.policy.gloo.solo.io/status [] [] [get update] failoverpolicies.resilience.policy.gloo.solo.io/status [] [] [get update] faultinjectionpolicies.resilience.policy.gloo.solo.io/status [] [] [get update] graphqlpersistedquerycachepolicies.resilience.policy.gloo.solo.io/status [] [] [get update] listenerconnectionpolicies.resilience.policy.gloo.solo.io/status [] [] [get update] outlierdetectionpolicies.resilience.policy.gloo.solo.io/status [] [] [get update] retrytimeoutpolicies.resilience.policy.gloo.solo.io/status [] [] [get update] trimproxyconfigpolicies.resilience.policy.gloo.solo.io/status [] [] [get update] authorizationpolicies.security.istio.io/status [] [] [get update] peerauthentications.security.istio.io/status [] [] [get update] accesspolicies.security.policy.gloo.solo.io/status [] [] [get update] clienttlspolicies.security.policy.gloo.solo.io/status [] [] [get update] corspolicies.security.policy.gloo.solo.io/status [] [] [get update] csrfpolicies.security.policy.gloo.solo.io/status [] [] [get update] dlppolicies.security.policy.gloo.solo.io/status [] [] [get update] extauthpolicies.security.policy.gloo.solo.io/status [] [] [get update] graphqlallowedquerypolicies.security.policy.gloo.solo.io/status [] [] [get update] jwtpolicies.security.policy.gloo.solo.io/status [] [] [get update] wafpolicies.security.policy.gloo.solo.io/status [] [] [get update] headermanipulationpolicies.trafficcontrol.policy.gloo.solo.io/status [] [] [get update] httpbufferpolicies.trafficcontrol.policy.gloo.solo.io/status [] [] [get update] loadbalancerpolicies.trafficcontrol.policy.gloo.solo.io/status [] [] [get update] mirrorpolicies.trafficcontrol.policy.gloo.solo.io/status [] [] [get update] proxyprotocolpolicies.trafficcontrol.policy.gloo.solo.io/status [] [] [get update] ratelimitclientconfigs.trafficcontrol.policy.gloo.solo.io/status [] [] [get update] ratelimitpolicies.trafficcontrol.policy.gloo.solo.io/status [] [] [get update] transformationpolicies.trafficcontrol.policy.gloo.solo.io/status [] [] [get update]
Repeat the previous step for each component that you want to check. The following commands check all roles and cluster roles per component and pipe the output to
jq
to get only the PolicyRules. Alternatively, you can check the permissions tables for each component in Review Gloo permissions.kubectl get clusterrole,role -l app=gloo-mesh-mgmt-server -A -o json | jq -r '.items[] | {Name: .metadata.name, PolicyRules: .rules} | select(.PolicyRules != null)'
kubectl get clusterrole,role -l app=gloo-mesh-agent -A -o json | jq -r '.items[] | {Name: .metadata.name, PolicyRules: .rules} | select(.PolicyRules != null)'
kubectl get clusterrole,role -l app=gloo-mesh-ui -A -o json | jq -r '.items[] | {Name: .metadata.name, PolicyRules: .rules} | select(.PolicyRules != null)'
kubectl get clusterrole,role -l app=prometheus -A -o json | jq -r '.items[] | {Name: .metadata.name, PolicyRules: .rules} | select(.PolicyRules != null)'
For optional components that are installed by Gloo Network via Helm, such as OpenTelemetry (OTel) gateways and collectors.
kubectl get clusterrole,role -l app.kubernetes.io/instance=gloo-mesh-core -A -o json | jq -r '.items[] | {Name: .metadata.name, PolicyRules: .rules} | select(.PolicyRules != null)'
Review Gloo permissions link
Review the following tables that describe the default permissions by Gloo component. For steps to check these permissions in your cluster setup, see Check default RBAC setup. For steps to modify these permission, see Restrict default permissions.
The Gloo management server needs access to many Kubernetes and all Gloo custom resources to manage Gloo resources. These actions include writing Gloo resources, managing the status of Gloo resources, writing output objects for Gloo resources, and performing leader election when you have multiple server replicas.
Resource | Granted by | Allowed verbs |
---|---|---|
configmaps | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
namespaces | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
pods | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
serviceaccounts | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
services | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
mutatingwebhookconfigurations.admissionregistration.k8s.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
validatingwebhookconfigurations.admissionregistration.k8s.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
apidocs.apimanagement.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
deployments.apps | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
ciliumnetworkpolicies.cilium.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
leases.coordination.k8s.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
authconfigs.extauth.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
gateways.gateway.networking.k8s.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
cloudresources.infrastructure.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
istiooperators.install.istio.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
issuedcertificates.internal.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
portalconfigs.internal.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
spireregistrationentries.internal.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
xdsconfigs.internal.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
destinationrules.networking.istio.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
envoyfilters.networking.istio.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
gateways.networking.istio.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
serviceentries.networking.istio.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
sidecars.networking.istio.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
virtualservices.networking.istio.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
workloadentries.networking.istio.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
workloadgroups.networking.istio.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
networkpolicies.networking.k8s.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
ratelimitconfigs.ratelimit.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
clusterrolebindings.rbac.authorization.k8s.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
clusterroles.rbac.authorization.k8s.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
authorizationpolicies.security.istio.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
peerauthentications.security.istio.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | * (all) |
nodes | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
dashboards.admin.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
extauthservers.admin.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
gatewaylifecyclemanagers.admin.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
istiolifecyclemanagers.admin.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
kubernetesclusters.admin.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
ratelimitserverconfigs.admin.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
ratelimitserversettings.admin.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
roottrustpolicies.admin.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
waypointlifecyclemanagers.admin.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
workspaces.admin.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
workspacesettings.admin.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
customresourcedefinitions.apiextensions.k8s.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
apischemadiscoveries.apimanagement.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
graphqlresolvermaps.apimanagement.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
graphqlschemas.apimanagement.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
graphqlstitchedschemas.apimanagement.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
portalgroups.apimanagement.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
portals.apimanagement.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
daemonsets.apps | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
statefulsets.apps | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
wasmdeploymentpolicies.extensions.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
gatewayclasses.gateway.networking.k8s.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
grpcroutes.gateway.networking.k8s.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
httproutes.gateway.networking.k8s.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
referencegrants.gateway.networking.k8s.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
tcproutes.gateway.networking.k8s.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
tlsroutes.gateway.networking.k8s.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
udproutes.gateway.networking.k8s.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
cloudproviders.infrastructure.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
certificaterequests.internal.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
discoveredcnis.internal.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
discoveredgateways.internal.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
meshes.internal.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
externalendpoints.networking.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
externalservices.networking.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
externalworkloads.networking.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
routetables.networking.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
virtualdestinations.networking.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
virtualgateways.networking.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
accesslogpolicies.observability.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
rolebindings.rbac.authorization.k8s.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
roles.rbac.authorization.k8s.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
activehealthcheckpolicies.resilience.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
connectionpolicies.resilience.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
failoverpolicies.resilience.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
faultinjectionpolicies.resilience.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
graphqlpersistedquerycachepolicies.resilience.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
listenerconnectionpolicies.resilience.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
outlierdetectionpolicies.resilience.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
retrytimeoutpolicies.resilience.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
trimproxyconfigpolicies.resilience.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
accesspolicies.security.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
clienttlspolicies.security.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
corspolicies.security.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
csrfpolicies.security.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
dlppolicies.security.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
extauthpolicies.security.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
graphqlallowedquerypolicies.security.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
jwtpolicies.security.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
wafpolicies.security.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
headermanipulationpolicies.trafficcontrol.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
httpbufferpolicies.trafficcontrol.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
loadbalancerpolicies.trafficcontrol.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
mirrorpolicies.trafficcontrol.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
proxyprotocolpolicies.trafficcontrol.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
ratelimitclientconfigs.trafficcontrol.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
ratelimitpolicies.trafficcontrol.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
transformationpolicies.trafficcontrol.policy.gloo.solo.io | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, list, watch |
namespaces/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
nodes/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
serviceaccounts/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
services/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
dashboards.admin.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
extauthservers.admin.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
gatewaylifecyclemanagers.admin.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
istiolifecyclemanagers.admin.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
kubernetesclusters.admin.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
ratelimitserverconfigs.admin.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
ratelimitserversettings.admin.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
roottrustpolicies.admin.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
waypointlifecyclemanagers.admin.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
workspaces.admin.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
workspacesettings.admin.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
apidocs.apimanagement.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
apischemadiscoveries.apimanagement.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
graphqlresolvermaps.apimanagement.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
graphqlschemas.apimanagement.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
graphqlstitchedschemas.apimanagement.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
portalgroups.apimanagement.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
portals.apimanagement.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
daemonsets.apps/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
deployments.apps/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
statefulsets.apps/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
ciliumnetworkpolicies.cilium.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
authconfigs.extauth.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
wasmdeploymentpolicies.extensions.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
gatewayclasses.gateway.networking.k8s.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
gateways.gateway.networking.k8s.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
grpcroutes.gateway.networking.k8s.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
httproutes.gateway.networking.k8s.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
referencegrants.gateway.networking.k8s.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
tcproutes.gateway.networking.k8s.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
tlsroutes.gateway.networking.k8s.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
udproutes.gateway.networking.k8s.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
cloudproviders.infrastructure.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
cloudresources.infrastructure.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
istiooperators.install.istio.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
certificaterequests.internal.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
discoveredcnis.internal.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
discoveredgateways.internal.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
issuedcertificates.internal.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
meshes.internal.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
portalconfigs.internal.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
spireregistrationentries.internal.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
externalendpoints.networking.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
externalservices.networking.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
externalworkloads.networking.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
routetables.networking.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
virtualdestinations.networking.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
virtualgateways.networking.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
destinationrules.networking.istio.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
envoyfilters.networking.istio.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
gateways.networking.istio.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
serviceentries.networking.istio.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
sidecars.networking.istio.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
virtualservices.networking.istio.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
workloadentries.networking.istio.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
accesslogpolicies.observability.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
ratelimitconfigs.ratelimit.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
clusterrolebindings.rbac.authorization.k8s.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
clusterroles.rbac.authorization.k8s.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
rolebindings.rbac.authorization.k8s.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
roles.rbac.authorization.k8s.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
activehealthcheckpolicies.resilience.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
connectionpolicies.resilience.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
failoverpolicies.resilience.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
faultinjectionpolicies.resilience.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
graphqlpersistedquerycachepolicies.resilience.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
listenerconnectionpolicies.resilience.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
outlierdetectionpolicies.resilience.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
retrytimeoutpolicies.resilience.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
trimproxyconfigpolicies.resilience.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
authorizationpolicies.security.istio.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
peerauthentications.security.istio.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
accesspolicies.security.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
clienttlspolicies.security.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
corspolicies.security.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
csrfpolicies.security.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
dlppolicies.security.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
extauthpolicies.security.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
graphqlallowedquerypolicies.security.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
jwtpolicies.security.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
wafpolicies.security.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
headermanipulationpolicies.trafficcontrol.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
httpbufferpolicies.trafficcontrol.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
loadbalancerpolicies.trafficcontrol.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
mirrorpolicies.trafficcontrol.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
proxyprotocolpolicies.trafficcontrol.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
ratelimitclientconfigs.trafficcontrol.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
ratelimitpolicies.trafficcontrol.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
transformationpolicies.trafficcontrol.policy.gloo.solo.io/status | gloo-mesh-mgmt-server-gloo-mesh cluster role | get, update |
secrets | gloo-mesh-mgmt-server-gloo-mesh-gloo-mesh-namespaced cluster role | * (all) |
secrets/status | gloo-mesh-mgmt-server-gloo-mesh-gloo-mesh-namespaced cluster role | get, update |
The Gloo agent needs access to many Kubernetes and all Gloo custom resources to manage Gloo resources in workload clusters. These actions include discovering core Kubernetes objects, writing Gloo resources, managing the status of Gloo resources, rotating certificates as needed, and performing leader election when you have multiple agent replicas. The agent also needs access to deploy, set up CRDs, and configure Kubernetes RBAC access for managing the Istio lifecycle manager (ILM).
Resource | Granted by | Allowed verbs |
---|---|---|
configmaps | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
namespaces | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
pods | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
serviceaccounts | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
services | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
mutatingwebhookconfigurations.admissionregistration.k8s.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
validatingwebhookconfigurations.admissionregistration.k8s.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
customresourcedefinitions.apiextensions.k8s.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
apidocs.apimanagement.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
deployments.apps | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
ciliumnetworkpolicies.cilium.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
leases.coordination.k8s.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
authconfigs.extauth.solo.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
gateways.gateway.networking.k8s.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
cloudresources.infrastructure.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
istiooperators.install.istio.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
certificaterequests.internal.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
discoveredcnis.internal.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
discoveredgateways.internal.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
issuedcertificates.internal.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
meshes.internal.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
podbouncedirectives.internal.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
portalconfigs.internal.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
spireregistrationentries.internal.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
xdsconfigs.internal.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
destinationrules.networking.istio.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
envoyfilters.networking.istio.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
gateways.networking.istio.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
serviceentries.networking.istio.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
sidecars.networking.istio.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
virtualservices.networking.istio.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
workloadentries.networking.istio.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
workloadgroups.networking.istio.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
networkpolicies.networking.k8s.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
ratelimitconfigs.ratelimit.solo.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
clusterrolebindings.rbac.authorization.k8s.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
clusterroles.rbac.authorization.k8s.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
authorizationpolicies.security.istio.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
peerauthentications.security.istio.io | gloo-mesh-agent-gloo-mesh cluster role | * (all) |
nodes | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
dashboards.admin.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
extauthservers.admin.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
gatewaylifecyclemanagers.admin.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
istiolifecyclemanagers.admin.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
kubernetesclusters.admin.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
ratelimitserverconfigs.admin.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
ratelimitserversettings.admin.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
roottrustpolicies.admin.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
waypointlifecyclemanagers.admin.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
workspaces.admin.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
workspacesettings.admin.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
apischemadiscoveries.apimanagement.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
graphqlresolvermaps.apimanagement.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
graphqlschemas.apimanagement.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
graphqlstitchedschemas.apimanagement.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
portalgroups.apimanagement.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
portals.apimanagement.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
daemonsets.apps | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
replicasets.apps | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
statefulsets.apps | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
wasmdeploymentpolicies.extensions.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
cloudproviders.infrastructure.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
externalendpoints.networking.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
externalservices.networking.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
externalworkloads.networking.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
routetables.networking.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
virtualdestinations.networking.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
virtualgateways.networking.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
accesslogpolicies.observability.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
rolebindings.rbac.authorization.k8s.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
roles.rbac.authorization.k8s.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
activehealthcheckpolicies.resilience.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
connectionpolicies.resilience.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
failoverpolicies.resilience.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
faultinjectionpolicies.resilience.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
graphqlpersistedquerycachepolicies.resilience.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
listenerconnectionpolicies.resilience.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
outlierdetectionpolicies.resilience.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
retrytimeoutpolicies.resilience.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
trimproxyconfigpolicies.resilience.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
accesspolicies.security.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
clienttlspolicies.security.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
corspolicies.security.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
csrfpolicies.security.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
dlppolicies.security.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
extauthpolicies.security.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
graphqlallowedquerypolicies.security.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
jwtpolicies.security.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
wafpolicies.security.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
headermanipulationpolicies.trafficcontrol.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
httpbufferpolicies.trafficcontrol.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
loadbalancerpolicies.trafficcontrol.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
mirrorpolicies.trafficcontrol.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
proxyprotocolpolicies.trafficcontrol.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
ratelimitclientconfigs.trafficcontrol.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
ratelimitpolicies.trafficcontrol.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
transformationpolicies.trafficcontrol.policy.gloo.solo.io | gloo-mesh-agent-gloo-mesh cluster role | get, list, watch |
configmaps/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
namespaces/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
nodes/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
pods/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
serviceaccounts/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
services/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
dashboards.admin.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
extauthservers.admin.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
gatewaylifecyclemanagers.admin.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
istiolifecyclemanagers.admin.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
kubernetesclusters.admin.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
ratelimitserverconfigs.admin.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
ratelimitserversettings.admin.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
roottrustpolicies.admin.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
waypointlifecyclemanagers.admin.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
workspaces.admin.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
workspacesettings.admin.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
mutatingwebhookconfigurations.admissionregistration.k8s.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
validatingwebhookconfigurations.admissionregistration.k8s.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
apidocs.apimanagement.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
apischemadiscoveries.apimanagement.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
graphqlresolvermaps.apimanagement.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
graphqlschemas.apimanagement.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
graphqlstitchedschemas.apimanagement.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
portalgroups.apimanagement.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
portals.apimanagement.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
daemonsets.apps/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
deployments.apps/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
replicasets.apps/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
statefulsets.apps/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
ciliumnetworkpolicies.cilium.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
authconfigs.extauth.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
wasmdeploymentpolicies.extensions.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
gateways.gateway.networking.k8s.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
cloudproviders.infrastructure.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
cloudresources.infrastructure.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
istiooperators.install.istio.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
certificaterequests.internal.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
discoveredcnis.internal.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
discoveredgateways.internal.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
issuedcertificates.internal.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
meshes.internal.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
podbouncedirectives.internal.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
portalconfigs.internal.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
spireregistrationentries.internal.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
xdsconfigs.internal.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
externalendpoints.networking.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
externalservices.networking.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
externalworkloads.networking.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
routetables.networking.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
virtualdestinations.networking.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
virtualgateways.networking.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
destinationrules.networking.istio.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
envoyfilters.networking.istio.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
gateways.networking.istio.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
serviceentries.networking.istio.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
sidecars.networking.istio.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
virtualservices.networking.istio.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
workloadentries.networking.istio.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
workloadgroups.networking.istio.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
networkpolicies.networking.k8s.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
accesslogpolicies.observability.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
ratelimitconfigs.ratelimit.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
clusterrolebindings.rbac.authorization.k8s.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
clusterroles.rbac.authorization.k8s.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
activehealthcheckpolicies.resilience.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
connectionpolicies.resilience.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
failoverpolicies.resilience.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
faultinjectionpolicies.resilience.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
graphqlpersistedquerycachepolicies.resilience.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
listenerconnectionpolicies.resilience.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
outlierdetectionpolicies.resilience.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
retrytimeoutpolicies.resilience.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
trimproxyconfigpolicies.resilience.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
authorizationpolicies.security.istio.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
peerauthentications.security.istio.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
accesspolicies.security.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
clienttlspolicies.security.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
corspolicies.security.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
csrfpolicies.security.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
dlppolicies.security.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
extauthpolicies.security.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
graphqlallowedquerypolicies.security.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
jwtpolicies.security.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
wafpolicies.security.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
headermanipulationpolicies.trafficcontrol.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
httpbufferpolicies.trafficcontrol.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
loadbalancerpolicies.trafficcontrol.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
mirrorpolicies.trafficcontrol.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
proxyprotocolpolicies.trafficcontrol.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
ratelimitclientconfigs.trafficcontrol.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
ratelimitpolicies.trafficcontrol.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
transformationpolicies.trafficcontrol.policy.gloo.solo.io/status | gloo-mesh-agent-gloo-mesh cluster role | get, update |
secrets | gloo-mesh-agent-gloo-mesh-gloo-mesh-namespaced cluster role | * (all) |
secrets/status | gloo-mesh-agent-gloo-mesh-gloo-mesh-namespaced cluster role | get, update |
The Gloo UI needs access to many Kubernetes and all Gloo custom resources to display in the dashboard.
Resource | Granted by | Allowed verbs |
---|---|---|
configmaps | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
namespaces | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
nodes | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
serviceaccounts | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
services | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
dashboards.admin.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
extauthservers.admin.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
gatewaylifecyclemanagers.admin.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
istiolifecyclemanagers.admin.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
kubernetesclusters.admin.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
ratelimitserverconfigs.admin.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
ratelimitserversettings.admin.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
roottrustpolicies.admin.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
waypointlifecyclemanagers.admin.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
workspaces.admin.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
workspacesettings.admin.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
apidocs.apimanagement.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
apischemadiscoveries.apimanagement.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
graphqlresolvermaps.apimanagement.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
graphqlschemas.apimanagement.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
graphqlstitchedschemas.apimanagement.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
portalgroups.apimanagement.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
portals.apimanagement.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
daemonsets.apps | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
deployments.apps | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
statefulsets.apps | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
ciliumnetworkpolicies.cilium.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
authconfigs.extauth.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
wasmdeploymentpolicies.extensions.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
gatewayclasses.gateway.networking.k8s.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
gateways.gateway.networking.k8s.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
grpcroutes.gateway.networking.k8s.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
httproutes.gateway.networking.k8s.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
referencegrants.gateway.networking.k8s.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
tcproutes.gateway.networking.k8s.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
tlsroutes.gateway.networking.k8s.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
udproutes.gateway.networking.k8s.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
cloudproviders.infrastructure.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
cloudresources.infrastructure.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
istiooperators.install.istio.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
discoveredcnis.internal.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
discoveredgateways.internal.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
meshes.internal.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
portalconfigs.internal.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
spireregistrationentries.internal.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
externalendpoints.networking.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
externalservices.networking.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
externalworkloads.networking.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
routetables.networking.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
virtualdestinations.networking.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
virtualgateways.networking.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
destinationrules.networking.istio.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
envoyfilters.networking.istio.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
gateways.networking.istio.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
serviceentries.networking.istio.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
sidecars.networking.istio.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
virtualservices.networking.istio.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
workloadentries.networking.istio.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
accesslogpolicies.observability.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
ratelimitconfigs.ratelimit.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
clusterrolebindings.rbac.authorization.k8s.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
clusterroles.rbac.authorization.k8s.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
rolebindings.rbac.authorization.k8s.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
roles.rbac.authorization.k8s.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
activehealthcheckpolicies.resilience.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
connectionpolicies.resilience.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
failoverpolicies.resilience.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
faultinjectionpolicies.resilience.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
graphqlpersistedquerycachepolicies.resilience.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
listenerconnectionpolicies.resilience.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
outlierdetectionpolicies.resilience.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
retrytimeoutpolicies.resilience.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
trimproxyconfigpolicies.resilience.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
authorizationpolicies.security.istio.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
peerauthentications.security.istio.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
accesspolicies.security.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
clienttlspolicies.security.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
corspolicies.security.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
csrfpolicies.security.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
dlppolicies.security.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
extauthpolicies.security.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
graphqlallowedquerypolicies.security.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
jwtpolicies.security.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
wafpolicies.security.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
headermanipulationpolicies.trafficcontrol.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
httpbufferpolicies.trafficcontrol.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
loadbalancerpolicies.trafficcontrol.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
mirrorpolicies.trafficcontrol.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
proxyprotocolpolicies.trafficcontrol.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
ratelimitclientconfigs.trafficcontrol.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
ratelimitpolicies.trafficcontrol.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
transformationpolicies.trafficcontrol.policy.gloo.solo.io | gloo-mesh-ui-gloo-mesh cluster role | get, list, watch |
configmaps/status | gloo-mesh-ui-gloo-mesh cluster role | get, update |
dashboards.admin.gloo.solo.io/status | gloo-mesh-ui-gloo-mesh cluster role | get, update |
kubernetesclusters.admin.gloo.solo.io/status | gloo-mesh-ui-gloo-mesh cluster role | get, update |
secrets | gloo-mesh-ui-gloo-mesh-gloo-mesh-namespaced cluster role | get, list, watch |
secrets/status | gloo-mesh-ui-gloo-mesh-gloo-mesh-namespaced cluster role | get, update |
The Prometheus server needs access to various resources to collect metrics for cluster components and network traffic.
Resource | Granted by | Allowed verbs |
---|---|---|
configmaps | prometheus-server cluster role | get, list, watch |
endpoints | prometheus-server cluster role | get, list, watch |
ingresses | prometheus-server cluster role | get, list, watch |
nodes/metrics | prometheus-server cluster role | get, list, watch |
nodes/proxy | prometheus-server cluster role | get, list, watch |
nodes | prometheus-server cluster role | get, list, watch |
pods | prometheus-server cluster role | get, list, watch |
services | prometheus-server cluster role | get, list, watch |
ingresses.extensions/status | prometheus-server cluster role | get, list, watch |
ingresses.extensions | prometheus-server cluster role | get, list, watch |
ingresses.networking.k8s.io/status | prometheus-server cluster role | get, list, watch |
ingresses.networking.k8s.io | prometheus-server cluster role | get, list, watch |
/metrics | prometheus-server cluster role | get |
The OpenTelemetry (OTel) gateways and collectors need access to various resources to collect metrics, logs, and traces for the components in your cluster.
Resource | Granted by | Allowed verbs |
---|---|---|
configmaps | gloo-telemetry-* cluster roles | get, list, watch |
endpoints | gloo-telemetry-* cluster roles | get, list, watch |
ingresses | gloo-telemetry-* cluster roles | get, list, watch |
nodes/metrics | gloo-telemetry-* cluster roles | get, list, watch |
nodes/proxy | gloo-telemetry-* cluster roles | get, list, watch |
nodes | gloo-telemetry-* cluster roles | get, list, watch |
pods | gloo-telemetry-* cluster roles | get, list, watch |
services | gloo-telemetry-* cluster roles | get, list, watch |
ingresses.extensions/status | gloo-telemetry-* cluster roles | get, list, watch |
ingresses.extensions | gloo-telemetry-* cluster roles | get, list, watch |
ingresses.networking.k8s.io/status | gloo-telemetry-* cluster roles | get, list, watch |
ingresses.networking.k8s.io | gloo-telemetry-* cluster roles | get, list, watch |
/metrics endpoint | gloo-telemetry-* cluster roles | get |
Restrict default permissions link
You can restrict the permissions for select Gloo components. By default, Gloo components use Kubernetes cluster roles and cluster role bindings to get access to resources on a cluster-wide level. To restrict these permissions, configure the namespacedRbac
Helm option for select Gloo components during your Gloo installation or upgrade.
- Default behavior without
namespacedRbac
: Gloo creates separate cluster roles and cluster role bindings per component for the resources that can and cannot be restricted to namespaces. For resources that can be restricted by namespace, the cluster role and cluster role bindings have*-namespaced
in their name. - With
namespacedRbac
: Gloo creates roles and role bindings per component for the restricted resources in the selected namespaces, such asgloo-mesh
. These roles and role bindings have*-namespaced
in their name, such asgloo-mesh-mgmt-server-gloo-mesh-gloo-mesh-namespaced
. Gloo still creates a cluster role and cluster role binding per component for all the other resources that the component needs access to.
Do not otherwise try to modify the default permissions by editing the Kubernetes cluster role or role for each component. Modifying the permissions can lead to unexpected results. If you need to modify other permissions such as for security compliance reasons, contact Support with your use case.
Gloo components that you can restrict access for:
- Gloo management server
- Gloo agent
- Gloo UI
Resources that you can restrict access to:
- Kubernetes secrets
At a minimum, you must allow access to gloo-mesh
, or if you used a different name, the namespace that your management server, UI, and agent are deployed to.
The following steps upgrade an existing Helm release to restrict the permissions of the management server, agent, UI to Gloo namespaces only. The steps do not upgrade the Gloo Network management server or agent versions or otherwise change the components.
Check the Helm releases in your cluster.
helm ls -A
Get your current installation values.
helm get values gloo-platform -n gloo-mesh -o yaml > gloo-network-single-cluster.yaml open gloo-network-single-cluster.yaml
Add the following settings in the sections for each component that you want to restrict Kubernetes RBAC permissions to namespaces. Keep in mind the following points:
- You can restrict only Kubernetes secrets.
- You must include the namespaces that the Gloo components are deployed to, such as
gloo-mesh
. If your namespaces have different names, replace these values. - You add these values along with all the rest of the values in your Helm configuration file.
glooMgmtServer: enabled: true namespacedRbac: - resources: - secrets namespaces: - gloo-mesh ...
glooAgent: enabled: true namespacedRbac: - resources: - secrets namespaces: - gloo-mesh ...
glooUi: enabled: true namespacedRbac: - resources: - secrets namespaces: - gloo-mesh
common: cluster: ${CLUSTER_NAME} glooAgent: enabled: true relay: serverAddress: gloo-mesh-mgmt-server.gloo-mesh:9900 runAsSidecar: true namespacedRbac: - resources: - secrets namespaces: - gloo-mesh glooAnalyzer: enabled: true runAsSidecar: true glooMgmtServer: enabled: true policyApis: enabled: false registerCluster: true namespacedRbac: - resources: - secrets namespaces: - gloo-mesh glooInsightsEngine: enabled: true runAsSidecar: true glooUi: enabled: true namespacedRbac: - resources: - secrets namespaces: - gloo-mesh licensing: glooMeshCoreLicenseKey: ${GLOO_MESH_CORE_LICENSE_KEY} prometheus: enabled: true redis: deployment: enabled: true telemetryCollector: enabled: true telemetryCollectorCustomization: pipelines: logs/cilium_flows: enabled: true metrics/cilium: enabled: true telemetryGateway: enabled: false
Upgrade your Helm release with the namespaced RBAC restrictions. Be sure to include the Helm values file (
$VALUES_FILE
) that you previously created and the Gloo version of your current installation ($GLOO_VERSION
).helm upgrade -i gloo-platform gloo-platform/gloo-platform \ --namespace gloo-mesh \ --create-namespace \ --values $VALUES_FILE \ --version $GLOO_VERSION
Verify that your Gloo environment is healthy. Note that this check might take a few seconds to complete.
meshctl check
Confirm that the permissions are correct by checking the RBAC setup.