From 28562b45c8023bd626d79a4d53e8dd3d79e606a9 Mon Sep 17 00:00:00 2001 From: Justin Marquis Date: Fri, 13 Dec 2024 10:41:22 -0800 Subject: [PATCH 1/2] docs: Kargo role matrix Signed-off-by: Justin Marquis --- .../30-managing-user-permissions.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/docs/docs/30-how-to-guides/30-managing-user-permissions.md b/docs/docs/30-how-to-guides/30-managing-user-permissions.md index 57aabce2a..9453a966a 100644 --- a/docs/docs/30-how-to-guides/30-managing-user-permissions.md +++ b/docs/docs/30-how-to-guides/30-managing-user-permissions.md @@ -273,6 +273,21 @@ kargo delete role developer --project kargo-demo role.rbac.kargo.akuity.io/developer deleted ``` +## Kargo Role Matrix + +The table below outlines the maximum rules required based on the `kargo-admin` ClusterRole. When specifying verbs, it's recommended to apply the principle of least privilege, ensuring access is limited to what is necessary for the specific role. + +| **API Groups** | **Resources** | **Verbs** | +|-----------------------------|------------------------------------------------|-----------------------------------------------------| +| `""` | `events`, `namespaces`, `serviceaccounts` | `get`, `list`, `watch` | +| `rbac.authorization.k8s.io` | `rolebindings`, `roles` | `get`, `list`, `watch` | +| `kargo.akuity.io` | `freights`, `projects`, `stages`, `warehouses` | `*` | +| `kargo.akuity.io` | `stages` | `promote` | +| `kargo.akuity.io` | `promotions` | `create`, `delete`, `get`, `list`, `watch` | +| `kargo.akuity.io` | `freights/status` | `patch` | +| `argoproj.io` | `analysisruns` | `delete`, `get`, `list`, `watch` | +| `argoproj.io` | `analysistemplates` | `*` | + ## Global Mappings In cases where certain, broad sets of permissions may be required by a large From 8c007bdd84eac4c39b56a5798e09a185034fede5 Mon Sep 17 00:00:00 2001 From: Justin Marquis Date: Fri, 13 Dec 2024 12:09:06 -0800 Subject: [PATCH 2/2] add patch verb for promotion resource Signed-off-by: Justin Marquis --- docs/docs/30-how-to-guides/30-managing-user-permissions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/docs/30-how-to-guides/30-managing-user-permissions.md b/docs/docs/30-how-to-guides/30-managing-user-permissions.md index 9453a966a..ff57fa38d 100644 --- a/docs/docs/30-how-to-guides/30-managing-user-permissions.md +++ b/docs/docs/30-how-to-guides/30-managing-user-permissions.md @@ -283,7 +283,7 @@ The table below outlines the maximum rules required based on the `kargo-admin` C | `rbac.authorization.k8s.io` | `rolebindings`, `roles` | `get`, `list`, `watch` | | `kargo.akuity.io` | `freights`, `projects`, `stages`, `warehouses` | `*` | | `kargo.akuity.io` | `stages` | `promote` | -| `kargo.akuity.io` | `promotions` | `create`, `delete`, `get`, `list`, `watch` | +| `kargo.akuity.io` | `promotions` | `create`, `delete`, `get`, `list`, `patch`, `watch` | | `kargo.akuity.io` | `freights/status` | `patch` | | `argoproj.io` | `analysisruns` | `delete`, `get`, `list`, `watch` | | `argoproj.io` | `analysistemplates` | `*` |