fbpx

The Spotinst Controller is a pod that lives within your k8s cluster, enabling the integration with the Spotinst platform. It is responsible for collecting metrics and events that are being pushed via a secured link to the Spotinst SaaS platform for the purpose of capacity scaling activities as well as additional features of the Spotinst Kubernetes integration.

This page presents the permissions required by the Spotinst Controller. All permissions listed here can be viewed and edited in the controller’s YAML file used in its installation process.

The permissions are divided into 4 sections:

  1. READ-ONLY: Permissions for fetching data – required for functional operation of Ocean/Elastigroup integrations.
  2. NODE/PODS Manipulation: Permissions to update nodes and evict pods – this section is required for draining purposes, updating nodes as “unschedulable” and  evicting pods.
  3. Controller Resource Manipulation: This section gives the controller permissions to update its deployment/role. This is required only for the auto_update feature. You can safely remove this section if you would like to opt-out of the controller auto_update feature (to learn more about controller updates see updating the controller).
  4. Full CRUD for resources: Currently the resources are: pods, deployments and daemonsets. This is required for the Run Workloads. You can safely remove this section if you would like to opt-out the “Run Workloads” feature.

Below you can see the permissions section of the Spotinst Controller YAML:

# ------------------------------------------
# Cluster Role
# ------------------------------------------
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: spotinst-kubernetes-cluster-controller
  namespace: kube-system
rules:
##### READ-ONLY : REQUIRED FOR FUNCTIONAL OPERATION #####
- apiGroups: [""]
  resources: ["pods", "nodes", "services", "namespaces", "replicationcontrollers", "limitranges", "events", "persistentvolumes", "persistentvolumeclaims"]
  verbs: ["get", "list"]
- apiGroups: ["apps"]
  resources: ["deployments", "daemonsets", "statefulsets"]
  verbs: ["get","list"]
- apiGroups: ["storage.k8s.io"]
  resources: ["storageclasses"]
  verbs: ["get", "list"]
- apiGroups: ["batch"]
  resources: ["jobs"]
  verbs: ["get", "list"]
- apiGroups: ["extensions"]
  resources: ["replicasets", "daemonsets"]
  verbs: ["get","list"]
- apiGroups: ["policy"]
  resources: ["poddisruptionbudgets"]
  verbs: ["get", "list"]
- apiGroups: ["metrics.k8s.io"]
  resources: ["pods"]
  verbs: ["get", "list"]
- apiGroups: ["autoscaling"]
  resources: ["horizontalpodautoscalers"]
  verbs: ["get", "list"]
- nonResourceURLs: ["/version/", "/version"]
  verbs: ["get"]
##### NODE/PODS MANIPULATION : REQUIRED FOR DRAINING & FUNCTIONAL OPERATION #####
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["patch", "update"]
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["delete"]
- apiGroups: [""]
  resources: ["pods/eviction"]
  verbs: ["create"]
##### CONTROLLER RESOURCE MANIPULATION : REQUIRED FOR AUTO-UPDATE FEATURE #####
- apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["clusterroles"]
  resourceNames: ["spotinst-kubernetes-cluster-controller"]
  verbs: ["patch", "update", "escalate"]
- apiGroups: ["apps"]
  resources: ["deployments"]
  resourceNames: ["spotinst-kubernetes-cluster-controller"]
  verbs: ["patch","update"]
##### FULL CRUD: REQUIRED FOR SPOTINST-APPLY FEATURE #####
- apiGroups: ["apps"]
  resources: ["deployments", "daemonsets"]
  verbs: ["get", "list", "patch","update","create","delete"]
- apiGroups: ["extensions"]
  resources: ["daemonsets"]
  verbs: ["get", "list", "patch","update","create","delete"]
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "patch", "update", "create", "delete"]