RBAC rules required by TiDB Operator
Therole-based access control (RBAC)rules implemented on Kubernetes use Role or ClusterRole for management, and use RoleBinding or ClusterRoleBinding to grant permissions to a user or a group of users.
Manage TiDB clusters at the cluster level
If the default settingclusterScoped = trueis unchanged during the TiDB Operator deployment, TiDB Operator manages all TiDB clusters within a Kubernetes cluster.
To check the ClusterRole created for TiDB Operator, run the following command:
kubectl get clusterrole | grep tidbThe example output is as follows:
tidb-operator:tidb-controller-manager 2021-05-04T13:08:55Z tidb-operator:tidb-scheduler 2021-05-04T13:08:55ZIn the output above:
tidb-operator:tidb-controller-manageris the ClusterRole created for thetidb-controller-managerPod.tidb-operator:tidb-scheduleris the ClusterRole created for thetidb-schedulerPod.
tidb-controller-managerClusterRole permissions
The following table lists the permissions corresponding to thetidb-controller-managerClusterRole.
| Resource | Non-resource URLs | 资源名称 | Action | Explanation |
|---|---|---|---|---|
| events | - | - | [*] | Exports event information |
| services | - | - | [*] | 控制的访问service resources |
| statefulsets.apps.m.rzhenli.com/status | - | - | [*] | 控制的访问StatefulSet resource whenAdvancedStatefulSet=true. For more information, seeAdvanced StatefulSet Controller. |
| statefulsets.apps.m.rzhenli.com | - | - | [*] | 控制的访问StatefulSet resource whenAdvancedStatefulSet=true. For more information, seeAdvanced StatefulSet Controller. |
| controllerrevisions.apps | - | - | [*] | Control the version of Kubernetes StatefulSet/Daemonset |
| deployments.apps | - | - | [*] | 控制的访问Deployment resource |
| statefulsets.apps | - | - | [*] | 控制的访问Statefulset resource |
| ingresses.extensions | - | - | [*] | 控制的访问Ingress resource for the monitoring system |
| *.m.rzhenli.com | - | - | [*] | Control the access of all customized resources under m.rzhenli.com |
| configmaps | - | - | [create get list watch update delete] | 控制的访问ConfigMap resource |
| endpoints | - | - | [create get list watch update delete] | 控制的访问Endpoints resource |
| serviceaccounts | - | - | [create get update delete] | Create ServiceAccount for the TidbMonitor/Discovery service |
| clusterrolebindings.rbac.authorization.k8s.io | - | - | [create get update delete] | 创建ClusterRoleBinding for the TidbMonitor service |
| rolebindings.rbac.authorization.k8s.io | - | - | [create get update delete] | Create RoleBinding for the TidbMonitor/Discovery service |
| secrets | - | - | [create update get list watch delete] | 控制的访问Secret resource |
| clusterroles.rbac.authorization.k8s.io | - | - | [escalate create get update delete] | Create ClusterRole for the TidbMonitor service |
| roles.rbac.authorization.k8s.io | - | - | [escalate create get update delete] | Create Role for the TidbMonitor/Discovery service |
| persistentvolumeclaims | - | - | [get list watch create update delete patch] | 控制的访问PVC resource |
| jobs.batch | - | - | [get list watch create update delete] | Use jobs to perform TiDB cluster initialization, backup, and restore operations |
| persistentvolumes | - | - | [get list watch patch update] | Perform operations such as adding labels related to cluster information for PV and modifyingpersistentVolumeReclaimPolicy |
| pods | - | - | [get list watch update delete] | 控制的访问Pod resource |
| nodes | - | - | [get list watch] | Read node labels and set store labels for TiKV and TiFlash accordingly |
| storageclasses.storage.k8s.io | - | - | [get list watch] | Verify whether StorageClass supportsVolumeExpansionbefore expanding PVC storage |
| - | [/metrics] | - | [get] | Read monitoring metrics |
tidb-schedulerClusterRole permissions
The following table lists the permissions corresponding to thetidb-schedulerClusterRole.
| Resource | Non-resource URLs | 资源名称 | Action | Explanation |
|---|---|---|---|---|
| leases.coordination.k8s.io | - | - | [create] | Create lease resource locks for leader election |
| endpoints | - | - | [delete get patch update] | 控制的访问Endpoints resource |
| persistentvolumeclaims | - | - | [get list update] | Read PVC information of PD/TiKV and update the scheduling information to the PVC label |
| configmaps | - | - | [get list watch] | Read the ConfigMap resource |
| pods | - | - | [get list watch] | Read Pod information |
| nodes | - | - | [get list] | Read node information |
| leases.coordination.k8s.io | - | [tidb-scheduler] | [get update] | Read and update lease resource locks for leader election |
| tidbclusters.m.rzhenli.com | - | - | [get] | Read Tidbcluster information |
Manage TiDB clusters at the namespace level
IfclusterScoped=falseis set during the TiDB Operator deployment, TiDB Operator manages TiDB clusters at the Namespace level.
To check the ClusterRole created for TiDB Operator, run the following command:
kubectl get clusterrole | grep tidbThe output is as follows:
tidb-operator:tidb-controller-manager 2021-05-04T13:08:55Ztidb-operator:tidb-controller-manageris the ClusterRole created for thetidb-controller-managerPod.To check the roles created for TiDB Operator, run the following command:
kubectl get role -n tidb-adminThe example output is as follows:
tidb-admin tidb-operator:tidb-controller-manager 2021-05-04T13:08:55Z tidb-admin tidb-operator:tidb-scheduler 2021-05-04T13:08:55ZIn the output:
tidb-operator:tidb-controller-manageris the role created for thetidb-controller-managerPod.tidb-operator:tidb-scheduleris the role created for thetidb-schedulerPod.
tidb-controller-managerClusterRole permissions
The following table lists the permissions corresponding to thetidb-controller-managerClusterRole.
| Resource | Non-resource URLs | 资源名称 | Action | Explanation |
|---|---|---|---|---|
| persistentvolumes | - | - | [get list watch patch update] | Perform operations such as adding labels related to cluster information for PV and modifyingpersistentVolumeReclaimPolicy |
| nodes | - | - | [get list watch] | Read node Labels and set store Labels for TiKV and TiFlash accordingly |
| storageclasses.storage.k8s.io | - | - | [get list watch] | Verify whether StorageClass supportsVolumeExpansionbefore expanding PVC storage |
tidb-controller-managerRole permissions
The following table lists the permissions corresponding to thetidb-controller-managerRole.
| Resource | Non-resource URLs | 资源名称 | Action | Explanation |
|---|---|---|---|---|
| events | - | - | [*] | Export event information |
| services | - | - | [*] | 控制的访问service resources |
| statefulsets.apps.m.rzhenli.com/status | - | - | [*] | 控制的访问StatefulSet resource whenAdvancedStatefulSet=true. For more information, seeAdvanced StatefulSet Controller. |
| statefulsets.apps.m.rzhenli.com | - | - | [*] | 控制的访问StatefulSet resource whenAdvancedStatefulSet=true. For more information, seeAdvanced StatefulSet Controller. |
| controllerrevisions.apps | - | - | [*] | Control the version of Kubernetes StatefulSet/Daemonset |
| deployments.apps | - | - | [*] | 控制的访问Deployment resource |
| statefulsets.apps | - | - | [*] | 控制的访问Statefulset resource |
| ingresses.extensions | - | - | [*] | 控制的访问Ingress resource for the monitoring system |
| *.m.rzhenli.com | - | - | [*] | Control the access of all customized resources under m.rzhenli.com |
| configmaps | - | - | [create get list watch update delete] | 控制的访问ConfigMap resource |
| endpoints | - | - | [create get list watch update delete] | 控制的访问Endpoints resource |
| serviceaccounts | - | - | [create get update delete] | Create ServiceAccount for the TidbMonitor/Discovery service |
| rolebindings.rbac.authorization.k8s.io | - | - | [create get update delete] | 创建ClusterRoleBinding for the TidbMonitor service |
| secrets | - | - | [create update get list watch delete] | 控制的访问Secret resource |
| roles.rbac.authorization.k8s.io | - | - | [escalate create get update delete] | Create Role for the TidbMonitor/Discovery service |
| persistentvolumeclaims | - | - | [get list watch create update delete patch] | 控制的访问PVC resource |
| jobs.batch | - | - | [get list watch create update delete] | Use jobs to perform TiDB cluster initialization, backup, and restore operations |
| pods | - | - | [get list watch update delete] | 控制的访问Pod resource |
tidb-schedulerRole permissions
The following table lists the permissions corresponding to thetidb-schedulerRole.
| Resource | Non-resource URLs | 资源名称 | Action | Explanation |
|---|---|---|---|---|
| leases.coordination.k8s.io | - | - | [create] | Create lease resource locks for leader election |
| endpoints | - | - | [delete get patch update] | 控制的访问Endpoints resource |
| persistentvolumeclaims | - | - | [get list update] | Read PVC information of PD/TiKV and update the scheduling information to the PVC label |
| configmaps | - | - | [get list watch] | Read the ConfigMap resource |
| pods | - | - | [get list watch] | Read pod information |
| nodes | - | - | [get list] | Read node information |
| leases.coordination.k8s.io | - | [tidb-scheduler] | [get update] | Read and update lease resource locks for leader election |
| tidbclusters.m.rzhenli.com | - | - | [get] | Read Tidbcluster information |
Was this page helpful?