Configuring Permissions
Table of Contents
Optimizer Hub requires specific Kubernetes permissions to function properly. All required permissions are scoped to the namespace level, and no cluster-level permissions are needed.
Overview
When you deploy Optimizer Hub to a Kubernetes cluster, you need to configure the permissions for the following pods:
-
Operator: Manages deployment scaling and observability.
-
Cache: Enables Hazelcast cluster formation and service discovery.
These components require only namespace-scoped permissions, making Optimizer Hub suitable for environments with strict security policies.
Operator Pod Permissions
The following Kubernetes API permissions are included in the Optimizer Hub helm chart:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: opthub-operator-role
namespace: {{ .Release.Namespace }}
rules:
- apiGroups:
- apps
resources:
- deployments/scale
- deployments
- statefulsets/scale
- statefulsets
verbs:
- get
- update
- patch
- apiGroups:
- ""
- "metrics.k8s.io"
resources:
- pods
verbs:
- get
- list
|
Note
|
The metrics.k8s.io permissions are optional and only required if you want the operator to observe and optimize based on runtime metrics.
|
Cache Pod Permissions
The following Kubernetes API permissions are included in the Optimizer Hub helm chart:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: opthub-cache-role
namespace: {{ .Release.Namespace }}
rules:
- apiGroups:
- ""
resources:
- endpoints
- pods
- services
verbs:
- get
- list