Skip to content

Shuttle RBAC

ClusterRole (operates across all project namespaces):

Core resources:

  • pods: get, list, watch
  • nodes: get, list, watch
  • namespaces: get, list, watch, create, update, patch, delete
  • services: get, list, watch, create, update, patch, delete
  • configmaps: get, list, watch, create, update, patch, delete
  • secrets: get, list, watch, create, update, patch, delete
  • serviceaccounts: get, list, watch, create, update, patch, delete
  • resourcequotas: get, list, watch, create, update, patch, delete
  • limitranges: get, list, watch, create, update, patch, delete

Workloads (apps):

  • deployments: get, list, watch, create, update, patch, delete

RBAC (rbac.authorization.k8s.io):

  • roles: get, list, watch, create, update, patch, delete
  • rolebindings: get, list, watch, create, update, patch, delete

Networking (networking.k8s.io):

  • networkpolicies: get, list, watch, create, update, patch, delete

Policy (policy):

  • poddisruptionbudgets: get, list, watch, create, update, patch, delete

Gateway API (gateway.networking.k8s.io):

  • httproutes: get, list, watch, create, update, patch, delete

Envoy Gateway (gateway.envoyproxy.io) — post-MVP:

  • securitypolicies: get, list, watch, create, update, patch, delete

Coordination (coordination.k8s.io) — for future leader election:

  • leases: get, list, watch, create, update

Cross-references

Where this ClusterRole is scaffolded (deploy/rbac.yaml) → §21 · the resources this RBAC lets Shuttle create → §20.2 · Starform-layer (customer) RBAC, distinct from this cluster RBAC → §15.