RBAC & Permissions
Kubernetes RBAC roles and permissions used by each DevZero operator.
RBAC & Permissions
Each DevZero operator uses a dedicated ServiceAccount with a minimal ClusterRole following the principle of least privilege.
Read Operator (zxporter)
Namespace: devzero-zxporter
ClusterRole permissions:
| Resource | Verbs |
|---|---|
| Nodes, Pods, Deployments, StatefulSets, DaemonSets, ReplicaSets | get, list, watch |
| Services, Endpoints, Ingresses, NetworkPolicies | get, list, watch |
| PersistentVolumes, PersistentVolumeClaims, StorageClasses | get, list, watch |
| Namespaces, ServiceAccounts, ConfigMaps (metadata only) | get, list, watch |
| HPAs, VPAs, PDBs, PriorityClasses | get, list, watch |
| ResourceQuotas, LimitRanges | get, list, watch |
| Karpenter CRDs (NodePools, NodeClaims) | get, list, watch |
| Secrets | No access |
The Read Operator has zero write permissions -- it cannot create, update, patch, or delete any resource.
Write Operator (dakr-op)
Namespace: dakr-operator
ClusterRole permissions:
| Resource | Verbs |
|---|---|
| Deployments, StatefulSets, DaemonSets | get, list, watch, patch, update |
| HPAs | get, list, watch, patch, update |
| Pods | get, list, watch |
| WorkloadRecommendations, NodeGroupRecommendations (CRDs) | get, list, watch, create, update, patch, delete |
| CheckpointRestores (CRDs) | get, list, watch, create, update, patch, delete |
The Write Operator can only modify Deployments, StatefulSets, DaemonSets, and HPAs -- it cannot access Secrets, ConfigMaps, or other sensitive resources.
Security Operator
Namespace: dakr-security-system
ClusterRole permissions:
| Resource | Verbs |
|---|---|
| All workload types | get, list, watch |
| VulnerabilityReports, ConfigAuditReports (CRDs) | Full CRUD |
| ClusterComplianceReports (CRDs) | Full CRUD |
| Jobs (for scan execution) | create, delete |
The Security Operator reads workload metadata to determine what to scan. It creates Jobs to run Trivy scanners and stores results as CRDs.
Node Operator
Namespace: karpenter
ClusterRole permissions:
| Resource | Verbs |
|---|---|
| Nodes | Full lifecycle management |
| Pods | get, list, watch, eviction |
| NodePools, NodeClaims, EC2NodeClasses (CRDs) | Full CRUD |
| Cloud provider APIs | Instance launch, termination |
Scheduler (dz-scheduler)
Namespace: kube-system
ClusterRole permissions:
| ClusterRole | Permissions |
|---|---|
dz-scheduler-kube-scheduler | Create/patch events, manage leases, get/list/watch nodes and pods, create pod bindings, patch pod status, get/list/watch workloads and storage resources |
dz-scheduler-volume-scheduler | Get/list/patch/update/watch PersistentVolumes, PersistentVolumeClaims, StorageClasses |
dz-scheduler-configmap-reader | Get/watch/list ConfigMaps |
The Scheduler runs with system-cluster-critical priority and tolerates all taints. It has standard kube-scheduler permissions plus read access to ConfigMaps for token resolution.
Auditing Permissions
Verify what permissions an operator actually has:
# Check Read Operator's ClusterRole
kubectl describe clusterrole devzero-zxporter-manager-roleresources
# Check Write Operator's ClusterRole
kubectl describe clusterrole dakr-operator-role
# Check Scheduler's ClusterRoles
kubectl describe clusterrole dz-scheduler-kube-scheduler
kubectl describe clusterrole dz-scheduler-volume-scheduler
# Test specific permissions
kubectl auth can-i get secrets --as=system:serviceaccount:devzero-zxporter:devzero-zxporter-controller-manager
# Expected: no