From ed2d1a643030328aef216628de48ee8c779dce11 Mon Sep 17 00:00:00 2001 From: akuitybot <105087302+akuitybot@users.noreply.github.com> Date: Fri, 13 Dec 2024 16:20:14 -0800 Subject: [PATCH] chore(backport release-1.1): docs: Kargo role matrix (#3137) Co-authored-by: Justin Marquis <76892343+34fathombelow@users.noreply.github.com> Co-authored-by: Kent Rancourt --- .../30-managing-user-permissions.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/docs/docs/30-how-to-guides/30-managing-user-permissions.md b/docs/docs/30-how-to-guides/30-managing-user-permissions.md index 57aabce2a..ff57fa38d 100644 --- a/docs/docs/30-how-to-guides/30-managing-user-permissions.md +++ b/docs/docs/30-how-to-guides/30-managing-user-permissions.md @@ -273,6 +273,21 @@ kargo delete role developer --project kargo-demo role.rbac.kargo.akuity.io/developer deleted ``` +## Kargo Role Matrix + +The table below outlines the maximum rules required based on the `kargo-admin` ClusterRole. When specifying verbs, it's recommended to apply the principle of least privilege, ensuring access is limited to what is necessary for the specific role. + +| **API Groups** | **Resources** | **Verbs** | +|-----------------------------|------------------------------------------------|-----------------------------------------------------| +| `""` | `events`, `namespaces`, `serviceaccounts` | `get`, `list`, `watch` | +| `rbac.authorization.k8s.io` | `rolebindings`, `roles` | `get`, `list`, `watch` | +| `kargo.akuity.io` | `freights`, `projects`, `stages`, `warehouses` | `*` | +| `kargo.akuity.io` | `stages` | `promote` | +| `kargo.akuity.io` | `promotions` | `create`, `delete`, `get`, `list`, `patch`, `watch` | +| `kargo.akuity.io` | `freights/status` | `patch` | +| `argoproj.io` | `analysisruns` | `delete`, `get`, `list`, `watch` | +| `argoproj.io` | `analysistemplates` | `*` | + ## Global Mappings In cases where certain, broad sets of permissions may be required by a large