RBAC Reference

This page documents the Role-Based Access Control (RBAC) permissions that DirectPV requires to operate in your Kubernetes cluster.

Overview

DirectPV automatically creates the following RBAC resources during installation with the Helm chart. Administrators do not need to manually configure these permissions.

Resource	Name	Namespace
ServiceAccount	`directpv-min-io`	`directpv`
ClusterRole	`directpv-min-io`	Cluster-scoped
ClusterRoleBinding	`directpv-min-io`	Cluster-scoped
Role	`directpv-min-io`	`directpv`
RoleBinding	`directpv-min-io`	`directpv`

ClusterRole permissions

The directpv-min-io ClusterRole grants the following permissions:

Core API resources

Resource	Verbs	Purpose
`endpoints`	get, list, watch, create, update, delete	Leader election and service discovery.
`events`	list, watch, create, update, patch	Report events for drives, volumes, and operations.
`nodes`	get, list, watch	Discover cluster nodes for drive management.
`persistentvolumes`	get, list, watch, create, delete, patch	Provision and manage PersistentVolumes.
`persistentvolumeclaims`	get, list, watch, update	Process PVC requests and update status.
`persistentvolumeclaims/status`	patch	Update PVC status during volume operations.
`pods`	get, list, watch	Track pod assignments for volumes.

Policy API resources

Resource	Verbs	Purpose
`podsecuritypolicies`	use	Apply pod security policies (if enabled).

API extensions resources

Resource	Verbs	Purpose
`customresourcedefinitions`	get, list, watch, create, update, delete	Manage DirectPV CRDs.

Coordination API resources

Resource	Verbs	Purpose
`leases`	get, list, watch, update, delete, create	Controller leader election.

DirectPV API resources

Resource	Verbs	Purpose
`directpvdrives`	get, list, watch, create, update, delete	Manage drive resources.
`directpvvolumes`	get, list, watch, create, update, delete	Manage volume resources.
`directpvnodes`	get, list, watch, create, update, delete	Manage node resources.
`directpvinitrequests`	get, list, watch, create, update, delete	Process drive initialization requests.

Snapshot API resources

Resource	Verbs	Purpose
`volumesnapshotcontents`	get, list	Support volume snapshot operations.
`volumesnapshots`	get, list	Support volume snapshot operations.

Storage API resources

Resource	Verbs	Purpose
`csinodes`	get, list, watch	Track CSI node registrations.
`storageclasses`	get, list, watch	Access storage class configurations.
`volumeattachments`	get, list, watch	Track volume attachment status.

Complete permissions table

API Group	Resources	Verbs
(core)	`endpoints`	get, list, watch, create, update, delete
(core)	`events`	list, watch, create, update, patch
(core)	`nodes`	get, list, watch
(core)	`persistentvolumes`	get, list, watch, create, delete, patch
(core)	`persistentvolumeclaims`	get, list, watch, update
(core)	`persistentvolumeclaims/status`	patch
(core)	`pods`	get, list, watch
`policy`	`podsecuritypolicies`	use
`apiextensions.k8s.io`	`customresourcedefinitions`	get, list, watch, create, update, delete, patch
`coordination.k8s.io`	`leases`	get, list, watch, update, delete, create
`directpv.min.io`	`directpvdrives`	get, list, watch, create, update, delete
`directpv.min.io`	`directpvvolumes`	get, list, watch, create, update, delete
`directpv.min.io`	`directpvnodes`	get, list, watch, create, update, delete
`directpv.min.io`	`directpvinitrequests`	get, list, watch, create, update, delete
`snapshot.storage.k8s.io`	`volumesnapshotcontents`	get, list
`snapshot.storage.k8s.io`	`volumesnapshots`	get, list
`storage.k8s.io`	`csinodes`	get, list, watch
`storage.k8s.io`	`storageclasses`	get, list, watch
`storage.k8s.io`	`volumeattachments`	get, list, watch

Security considerations

DirectPV requires the cluster-wide permissions of the resources created during installation to:

Discover and manage drives across all nodes.
Provision PersistentVolumes in response to PVCs from any namespace.
Track pod assignments for volume scheduling.

The permissions are scoped to the minimum required for CSI driver operation. DirectPV does not require permissions to modify secrets, configmaps, or other sensitive resources outside its operational scope.

Installation requirements

The administrator installing DirectPV must have sufficient privileges to create ClusterRoles, ClusterRoleBindings, and other cluster-scoped resources. Once installed, DirectPV operates using its own ServiceAccount with the permissions documented above.