Permission Description
This document provides a detailed description of the permissions required for SmartAgent Operator to run in a Kubernetes environment. Depending on the deployment mode (Full-stack or Application-only monitoring), the required resources and permissions vary. This document categorizes and explains the Kubernetes resources and their permission requirements under different deployment modes, helping users configure permissions correctly to ensure SmartAgent runs properly.
For users who focus on permission minimization, the document specifically marks optional permissions and read-only permissions, so that you can trim the permission configuration according to actual needs.
kubernetes.yaml (Full-stack or Application-only)
[Application-only Monitoring]: Refers to the resources required in the application-only monitoring mode.
[Full-stack]: Refers to the resources required in the full-stack deployment mode.
[Read-only]: Refers to permissions that only include get, list, watch, etc.
[Write permission optional]: Indicates that create, update, patch permissions can be removed.
[Optional]: Indicates that the marked permission or resource can be removed.
| Resource Type | Name | Description |
|---|---|---|
| CRD | smartkubes.bonree.com | Extends Kubernetes resource types to define agent configuration items, allowing agent deployment adjustments based on configuration in real time. |
| Deployment | smartagent-operator | Listens for Kubernetes custom resource (SmartKube) configuration changes, manages agent deployment accordingly, records deployment status and events; updates Secret: bonree-webhook-certs (used to store Webhook certificates), etc. |
| ServiceAccount | smartagent-operator | Used to restrict permissions of Deployment: smartagent-operator. |
| Role [Read/Write] | smartagent-operator | Used to restrict access to resources in the bonree-agent namespace. Write permissions: Daemonset, webhook, and other component management. |
| RoleBinding | smartagent-operator | Binds Role: smartagent-operator with ServiceAccount: smartagent-operator. |
| ClusterRole ClusterRoleBinding | smartagent-operator | Used to restrict access to cluster-wide resources. [Optional] Write permissions |
| ServiceAccount [Full-stack] | bonree-smartkube-smartagent | [Optional] Used to enhance SmartAgent full-stack monitoring mode by collecting Kubernetes attributes. |
| ClusterRole ClusterRoleBinding [Full-stack] | bonree-smartagent-enhance | [Optional] Used to enhance SmartAgent full-stack monitoring mode by collecting Kubernetes attributes: Service Namespace UID OwnerReferences Pod IP addresses |
| Deployment Service MutatingWebhookConfiguration [Application-only] | bonree-webhook | See kubernetes-webhook-only.yaml for details. |
kubernetes-webhook-only.yaml (Application-only)
Note: CSI Driver-based agent injection is not supported.
[Read-only]: Refers to permissions that only include get, list, watch, etc.
[Write permission optional]: Indicates that create, update, patch permissions can be removed.
[Optional]: Indicates that the marked permission or resource can be removed.
| Resource Type | Name | Description |
|---|---|---|
| CRD (Custom Resource) | smartkubes.bonree.com | Extends Kubernetes resource type (SmartKube) to define agent configuration items, allowing agent deployment adjustments based on configuration in real time. |
| Deployment Service MutatingWebhookConfiguration | bonree-webhook | Based on Kubernetes Admission Webhooks, listens for changes in Pod resources in Kubernetes, modifies Pod configurations according to SmartKube custom resource configurations. Appends an Init Container to target Pods to deploy serverless agents, configure LD_PRELOAD and other environment variables, enabling automatic agent injection. |
| ServiceAccount | bonree-webhook | Used to restrict permissions of Deployment: bonree-webhook. |
| Role [Read/Write] [Write permission optional] | bonree-webhook | Used to restrict access to resources in the bonree-agent namespace. [Optional] Write permission: events, used to record serverless agent injection events into SmartKube resource instances. |
| RoleBinding | bonree-webhook | Binds Role: bonree-webhook with ServiceAccount: bonree-webhook. |
| ClusterRole [Read/Write] [Write permission optional] | bonree-webhook | Used to restrict access to cluster-wide resources. [Optional] Read/Write permission: secrets, used to create injection information (including agent-sensitive configuration) in the target Pod's namespace, accessible by the initContainer. If this permission is not granted, environment variables (env) are used instead. |
| ClusterRoleBinding | bonree-webhook | Binds ClusterRole: bonree-webhook with ServiceAccount: bonree-webhook. |
| Secret | bonree-webhook-certs | Stores Webhook service private key and certificate. |
kubernetes-csi.yaml [Optional]
Used in application-only monitoring mode, caches serverless agents on nodes, and provides temporary volumes for injection.
| Resource Type | Name | Description |
|---|---|---|
| Daemonset | bonree-smartagent-csi-driver | Based on the interface configuration in SmartKube custom resource configuration, caches agent versions on demand, provides necessary CSI driver interfaces, so that agent module files can be securely mounted into Pods without modifying the application container image or configuration. |
| ServiceAccount | bonree-smartagent-csi-driver | Used to restrict permissions of Daemonset: bonree-smartagent-csi-driver. |
| Role [Read/Write] | bonree-smartagent-csi-driver | Used to restrict access to resources in the bonree-agent namespace. Write permissions: endpoints, used to provide CSI interfaces. |
| RoleBinding | bonree-smartagent-csi-driver | Binds Role: bonree-smartagent-csi-driver with ServiceAccount: bonree-smartagent-csi-driver. |
| ClusterRole [Read/Write] | bonree-smartagent-csi-driver | Used to restrict access to cluster-wide resources. Write permissions: events, used to create mount events. |
| ClusterRoleBinding | bonree-smartagent-csi-driver | Binds ClusterRole: bonree-smartagent-csi-driver with ServiceAccount: bonree-smartagent-csi-driver. |
| CSIDriver | csi.smartagent.bonree.com | Provides temporary volumes containing serverless agent files for target Pods. |
| PriorityClass | bonree-high-priority | Increases the scheduling priority of Daemonset: bonree-smartagent-csi-driver Pods. |