Required Roles and Permissions

Table of Contents

Operator Pod Permissions
Cache Pod Permissions

Need help?

Schedule a consultation with an Azul performance expert.

Optimizer Hub requires specific Kubernetes roles and permissions to function properly. All required permissions are scoped to the namespace level, and no cluster-level permissions are needed.

When you deploy Optimizer Hub to a Kubernetes cluster, you need to configure the permissions for the following pods:

Operator: Manages deployment scaling and observability.
Cache: Enables Hazelcast cluster formation and service discovery.

These components require only namespace-scoped permissions, making Optimizer Hub suitable for environments with strict security policies.

Operator Pod Permissions

The Optimizer Hub helm chart includes the following Kubernetes API permissions:

 apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: opthub-operator-role
  namespace: {{ .Release.Namespace }}
rules:
  - apiGroups:
      - apps
    resources:
      - deployments/scale
      - deployments
      - statefulsets/scale
      - statefulsets
    verbs:
      - get
      - update
      - patch
  - apiGroups:
      - ""
      - "metrics.k8s.io"
    resources:
      - pods
    verbs:
      - get
      - list

Note	The `metrics.k8s.io` permissions are optional and only required if you want the operator to observe and optimize based on runtime metrics.

Cache Pod Permissions

The Optimizer Hub helm chart includes the following Kubernetes API permissions:

 apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: opthub-cache-role
  namespace: {{ .Release.Namespace }}
rules:
  - apiGroups:
      - ""
    resources:
      - endpoints
      - pods
      - services
    verbs:
      - get
      - list