Skip to main content

Permissions

🔐 Overview

This document outlines the required Kubernetes RBAC (Role-Based Access Control) permissions for each Kubesense service account. These permissions ensure that each component has the necessary access to interact with Kubernetes resources, monitor activity, and maintain observability.

Each Kubesense component, deployed as a DaemonSet or Deployment, requires specific APIGroup resources and permissions for its respective service account. Here is a breakdown of the required permissions for each:


📄 Logs Management - Logsensor Permissions

(Kind: DaemonSet)

The Logsensor requires read-only access to the Kubernetes default logs directory (/var/log/containers) to capture logs from all containers within the cluster. This setup allows it to monitor logs effectively without writing to the directory.

Directory Access:

  • /var/log/containers: Read-only access for log data collection.

📊 Kubernetes Observability - KubeSensor Permissions

(Kind: DaemonSet)

The Kubesensor uses eBPF to monitor Kubernetes resources and requires elevated permissions to access various Kubernetes resources across API groups. It also requires Privileged container access to function effectively with eBPF.

The following table lists the API groups, required access levels, and resources necessary for Kubesensor:

API GroupAccess LevelResources
""get, list, watchnodes, namespaces, configmaps, services, pods, replicationcontrollers
appsget, list, watchdaemonsets, deployments, replicasets, statefulsets
extensions
networking.k8s.io
get, list, watchingresses
route.openshift.ioget, list, watchroutes (for OpenShift environments)

Note: These permissions are essential for monitoring cluster-wide resources and maintaining real-time visibility into workloads, services, and network traffic.


🔍 Application Monitoring - Otel Agent Permissions

(Kind: Deployment)

The Otel Agent (OpenTelemetry Agent) gathers telemetry data from Kubernetes resources. To function correctly, it requires read access to nodes and events.

API GroupAccess LevelResources
""get, list, watchnodes, nodes/stats, nodes/proxy, events
events.k8s.ioget, list, watchevents

These permissions enable the Otel Agent to monitor events and node metrics, providing valuable insights into cluster performance and application health.


📈 Cluster Data Collection - Kubecol Permissions

(Kind: Deployment)

The Kubecol component manages Kubernetes endpoint and service data, requiring permissions to create, update, and observe service-related resources.

API GroupAccess LevelResources
""get, list, watch, create, updateendpoints, services

Note: These permissions ensure that Kubecol can effectively aggregate and update service-related metrics for comprehensive data collection across the cluster.


Summary

Ensuring that each Kubesense component has the correct permissions is critical for maintaining the functionality and observability of your Kubernetes cluster. These permissions allow the components to interact with Kubernetes resources, monitor events, and gather essential data while adhering to security best practices.

For more detailed setup instructions, please refer to the Kubesense Installation Guide.