Skip to main content

Kubernetes Permissions

This section documents the different components of the Signadot Operator with a description of their functionality and usage of permissions that they request.

The roles specified below are cluster-wide unless stated otherwise. Sandboxes can be created to test different versions of Kubernetes workloads that are running in different namespaces within a Kubernetes cluster. When a Sandbox is created, it forks a specified "baseline" workload and creates a modified version for testing in the same namespace. This is required to ensure that it can function correctly by attaching the same secrets and configmaps as the baseline workload.


The Agent component connects to the Signadot control plane and is responsible for creating an encrypted tunnel between the control plane and your cluster. It enables the creation and management of Sandboxes.

SignadotSandboxes SignadotRoutesread / writeUsed to declaratively specify Signadot Sandboxes and Routing for those Sandboxes.
Pods Pods/log ServicesreadMonitoring and reporting status of pods / services that belong within a Sandbox.
ConfigMapsreadUsed to enable users to read ConfigMaps associated with workloads running within a Sandbox via the Signadot Dashboard.
NamespacesreadUsed to obtain a list of namespaces to present options when creating Sandboxes via the Dashboard.
Eventsread / writeUsed to create Kubernetes events for reporting status from the Signadot operator.
Deployments Replicasets Argo RolloutsreadReporting runtime information of workloads running within each Sandbox.

Route Server

The Route Server component is responsible for serving specific routes corresponding to a particular Sandbox. These routes ensure that requests intended for a particular Sandbox reach it correctly.

SignadotRoutesreadThe route server reads from instances of the SignadotRoute CRD to determine valid Sandbox routes.

Controller Manager

The Controller Manager component is responsible for setting up all resources associated with a Sandbox. This includes forking a workload (Deployment, Argo Rollout, etc), setting up a SignadotRoute, a Kubernetes service and running any additional provisioning logic required per Sandbox.

SignadotSandboxes SignadotRoutes SignadotResourcesread / writeCRD objects created and managed by Signadot that contain declarative specifications of Sandboxes, Routes and Resources associated with them.
Deployments Replicasets Argo Rollouts Istio Virtualservices Jobs ConfigMaps Servicesread / writeUsed to create and manage workloads associated with Sandboxes. Note that resources not associated with a Sandbox are never modified by the controller-manager.
Signadot Mutating Webhook Configurationread / writeUsed to manage the Signadot mutating webhook that is used to dynamically inject routing sidecars to enable dynamic routing.