RBAC rules required by TiDB Operator
The role-based access control (RBAC) rules implemented in Kubernetes use Role or ClusterRole for management, and use RoleBinding or ClusterRoleBinding to grant permissions to a user or a group of users.
Manage TiDB clusters at the cluster level
If the default setting clusterScoped=true
is unchanged during the TiDB Operator deployment, TiDB Operator manages all TiDB clusters within a Kubernetes cluster.
To check the ClusterRole created for TiDB Operator, run the following command:
kubectl get clusterrole | grep tidb
The example output is as follows:
tidb-operator:tidb-controller-manager 2021-05-04T13:08:55Z
tidb-operator:tidb-scheduler 2021-05-04T13:08:55Z
In the output above:
tidb-operator:tidb-controller-manager
is the ClusterRole created for thetidb-controller-manager
Pod.tidb-operator:tidb-scheduler
is the ClusterRole created for thetidb-scheduler
Pod.
tidb-controller-manager
ClusterRole permissions
The following table lists the permissions corresponding to the tidb-controller-manager
ClusterRole.
Resource | Non-resource URLs | Resource name | Action | Explanation |
---|---|---|---|---|
events | - | - | [*] | Exports event information |
services | - | - | [*] | Control the access of the service resources |
statefulsets.apps.pingcap.com/status | - | - | [*] | Control the access of the StatefulSet resource when AdvancedStatefulSet=true . For more information, see Advanced StatefulSet Controller. |
statefulsets.apps.pingcap.com | - | - | [*] | Control the access of the StatefulSet resource when AdvancedStatefulSet=true . For more information, see Advanced StatefulSet Controller. |
controllerrevisions.apps | - | - | [*] | Control the version of Kubernetes StatefulSet/Daemonset |
deployments.apps | - | - | [*] | Control the access of the Deployment resource |
statefulsets.apps | - | - | [*] | Control the access of the Statefulset resource |
ingresses.extensions | - | - | [*] | Control the access of the Ingress resource for the monitoring system |
*.pingcap.com | - | - | [*] | Control the access of all customized resources under pingcap.com |
configmaps | - | - | [create get list watch update delete] | Control the access of the ConfigMap resource |
endpoints | - | - | [create get list watch update delete] | Control the access of the Endpoints resource |
serviceaccounts | - | - | [create get update delete] | Create ServiceAccount for the TidbMonitor/Discovery service |
clusterrolebindings.rbac.authorization.k8s.io | - | - | [create get update delete] | Create ClusterRoleBinding for the TidbMonitor service |
rolebindings.rbac.authorization.k8s.io | - | - | [create get update delete] | Create RoleBinding for the TidbMonitor/Discovery service |
secrets | - | - | [create update get list watch delete] | Control the access of the Secret resource |
clusterroles.rbac.authorization.k8s.io | - | - | [escalate create get update delete] | Create ClusterRole for the TidbMonitor service |
roles.rbac.authorization.k8s.io | - | - | [escalate create get update delete] | Create Role for the TidbMonitor/Discovery service |
persistentvolumeclaims | - | - | [get list watch create update delete patch] | Control the access of the PVC resource |
jobs.batch | - | - | [get list watch create update delete] | Use jobs to perform TiDB cluster initialization, backup, and restore operations |
persistentvolumes | - | - | [get list watch patch update] | Perform operations such as adding labels related to cluster information for PV and modifying persistentVolumeReclaimPolicy |
pods | - | - | [get list watch update delete] | Control the access of the Pod resource |
nodes | - | - | [get list watch] | Read node labels and set store labels for TiKV and TiFlash accordingly |
storageclasses.storage.k8s.io | - | - | [get list watch] | Verify whether StorageClass supports VolumeExpansion before expanding PVC storage |
- | [/metrics] | - | [get] | Read monitoring metrics |
tidb-scheduler
ClusterRole permissions
The following table lists the permissions corresponding to the tidb-scheduler
ClusterRole.
Resource | Non-resource URLs | Resource name | Action | Explanation |
---|---|---|---|---|
leases.coordination.k8s.io | - | - | [create] | Create lease resource locks for leader election |
endpoints | - | - | [delete get patch update] | Control the access of the Endpoints resource |
persistentvolumeclaims | - | - | [get list update] | Read PVC information of PD/TiKV and update the scheduling information to the PVC label |
configmaps | - | - | [get list watch] | Read the ConfigMap resource |
pods | - | - | [get list watch] | Read Pod information |
nodes | - | - | [get list] | Read node information |
leases.coordination.k8s.io | - | [tidb-scheduler] | [get update] | Read and update lease resource locks for leader election |
tidbclusters.pingcap.com | - | - | [get] | Read Tidbcluster information |
Manage TiDB clusters at the namespace level
If clusterScoped=false
is set during the TiDB Operator deployment, TiDB Operator manages TiDB clusters at the Namespace level.
To check the ClusterRole created for TiDB Operator, run the following command:
kubectl get clusterrole | grep tidbThe output is as follows:
tidb-operator:tidb-controller-manager 2021-05-04T13:08:55Ztidb-operator:tidb-controller-manager
is the ClusterRole created for thetidb-controller-manager
Pod.To check the roles created for TiDB Operator, run the following command:
kubectl get role -n tidb-adminThe example output is as follows:
tidb-admin tidb-operator:tidb-controller-manager 2021-05-04T13:08:55Z tidb-admin tidb-operator:tidb-scheduler 2021-05-04T13:08:55ZIn the output:
tidb-operator:tidb-controller-manager
is the role created for thetidb-controller-manager
Pod.tidb-operator:tidb-scheduler
is the role created for thetidb-scheduler
Pod.
tidb-controller-manager
ClusterRole permissions
The following table lists the permissions corresponding to the tidb-controller-manager
ClusterRole.
Resource | Non-resource URLs | Resource name | Action | Explanation |
---|---|---|---|---|
persistentvolumes | - | - | [get list watch patch update] | Perform operations such as adding labels related to cluster information for PV and modifying persistentVolumeReclaimPolicy |
nodes | - | - | [get list watch] | Read node Labels and set store Labels for TiKV and TiFlash accordingly |
storageclasses.storage.k8s.io | - | - | [get list watch] | Verify whether StorageClass supports VolumeExpansion before expanding PVC storage |
tidb-controller-manager
Role permissions
The following table lists the permissions corresponding to the tidb-controller-manager
Role.
Resource | Non-resource URLs | Resource name | Action | Explanation |
---|---|---|---|---|
events | - | - | [*] | Export event information |
services | - | - | [*] | Control the access of the service resources |
statefulsets.apps.pingcap.com/status | - | - | [*] | Control the access of the StatefulSet resource when AdvancedStatefulSet=true . For more information, see Advanced StatefulSet Controller. |
statefulsets.apps.pingcap.com | - | - | [*] | Control the access of the StatefulSet resource when AdvancedStatefulSet=true . For more information, see Advanced StatefulSet Controller. |
controllerrevisions.apps | - | - | [*] | Control the version of Kubernetes StatefulSet/Daemonset |
deployments.apps | - | - | [*] | Control the access of the Deployment resource |
statefulsets.apps | - | - | [*] | Control the access of the Statefulset resource |
ingresses.extensions | - | - | [*] | Control the access of the Ingress resource for the monitoring system |
*.pingcap.com | - | - | [*] | Control the access of all customized resources under pingcap.com |
configmaps | - | - | [create get list watch update delete] | Control the access of the ConfigMap resource |
endpoints | - | - | [create get list watch update delete] | Control the access of the Endpoints resource |
serviceaccounts | - | - | [create get update delete] | Create ServiceAccount for the TidbMonitor/Discovery service |
rolebindings.rbac.authorization.k8s.io | - | - | [create get update delete] | Create ClusterRoleBinding for the TidbMonitor service |
secrets | - | - | [create update get list watch delete] | Control the access of the Secret resource |
roles.rbac.authorization.k8s.io | - | - | [escalate create get update delete] | Create Role for the TidbMonitor/Discovery service |
persistentvolumeclaims | - | - | [get list watch create update delete patch] | Control the access of the PVC resource |
jobs.batch | - | - | [get list watch create update delete] | Use jobs to perform TiDB cluster initialization, backup, and restore operations |
pods | - | - | [get list watch update delete] | Control the access of the Pod resource |
tidb-scheduler
Role permissions
The following table lists the permissions corresponding to the tidb-scheduler
Role.
Resource | Non-resource URLs | Resource name | Action | Explanation |
---|---|---|---|---|
leases.coordination.k8s.io | - | - | [create] | Create lease resource locks for leader election |
endpoints | - | - | [delete get patch update] | Control the access of the Endpoints resource |
persistentvolumeclaims | - | - | [get list update] | Read PVC information of PD/TiKV and update the scheduling information to the PVC label |
configmaps | - | - | [get list watch] | Read the ConfigMap resource |
pods | - | - | [get list watch] | Read pod information |
nodes | - | - | [get list] | Read node information |
leases.coordination.k8s.io | - | [tidb-scheduler] | [get update] | Read and update lease resource locks for leader election |
tidbclusters.pingcap.com | - | - | [get] | Read Tidbcluster information |