Skip to main content
The Edge Agent requires specific permissions to discover resources and build the graph.

ClusterRole

The agent runs with a ClusterRole that grants read-only access to standard Kubernetes resources. 
rules:
  - apiGroups: [""]
    resources:
      - pods
      - services
      - nodes
      - namespaces
      - configmaps
      - secrets
      - persistentvolumeclaims
      - persistentvolumes
    verbs: ["get", "list", "watch"]
  
  - apiGroups: ["apps"]
    resources:
      - deployments
      - replicasets
      - statefulsets
      - daemonsets
    verbs: ["get", "list", "watch"]
    
  - apiGroups: ["networking.k8s.io"]
    resources:
      - ingresses
      - networkpolicies
    verbs: ["get", "list", "watch"]

Why These Permissions?

  • Pods/Nodes: To map IPs to workloads.
  • Services: To identify service endpoints and DNS names.
  • Deployments/StatefulSets: To understand the ownership hierarchy (Pod -> ReplicaSet -> Deployment).
  • Ingresses: To map external entry points.

Least Privilege

The agent is Read-Only. It never modifies your Kubernetes resources. It only reads the state to build the observability graph.