Skip to main content

Kubernetes Permissions

This section documents the different components of the Signadot Operator with a description of their functionality and usage of permissions that they request.

The roles specified below are cluster-wide unless stated otherwise. Sandboxes can be created to test different versions of Kubernetes workloads that are running in different namespaces within a Kubernetes cluster. When a Sandbox is created, it forks a specified "baseline" workload and creates a modified version for testing in the same namespace. This is required to ensure that it can function correctly by attaching the same secrets and configmaps as the baseline workload.


The Agent component connects to the Signadot control plane and is responsible for creating an encrypted tunnel between the control plane and your cluster. It enables the creation and management of Sandboxes.

SignadotSandboxes SignadotRouteGroups Resources SignadotExternalWorkloads SignadotObjectLifecycleMethods SignadotRoutes ForkedWorkloads RoutingConfigs IstioRoutesread / writeUsed to declaratively specify Signadot Sandboxes (with their attached Resources) and the Routing for those Sandboxes.
Pods Pods/log ServicesreadMonitoring and reporting status of pods / services that belong within a Sandbox.
ConfigMapsreadUsed to enable users to read ConfigMaps associated with workloads running within a Sandbox via the Signadot Dashboard.
NamespacesreadUsed to obtain a list of namespaces to present options when creating Sandboxes via the Dashboard.
Eventsread / writeUsed to create Kubernetes events for reporting status from the Signadot operator.
Deployments Replicasets Argo RolloutsreadReporting runtime information of workloads running within each Sandbox.

Route Server

The Route Server component is responsible for serving specific routes corresponding to a particular Sandbox. These routes ensure that requests intended for a particular Sandbox reach it correctly.

RoutingConfigreadThe route server reads from instances of the RoutingConfig CRD to determine valid Sandbox routes.

Tunnel API

The Tunnel API component provides a GRPC service for coordinating workstation interactions with the cluster.

ServicesreadThe Tunnel API reads services to provide network information to connected workstations
ConfigMapsreadThe Tunnel API reads ConfigMaps in the signadot namespace for accessing its configuration
SignadotSandboxesreadThe Tunnel API reads SignadotSandboxes to coordinate interactions with connected workstations

Tunnel Proxy

The Tunnel Proxy component provides a SOCKS5 proxy for connected workstations to access networking from within the cluster. It also manages tunnels carrying traffic from the cluster to workstations, so that workstations receive requests associated with a Sandbox.

SignadotExternalWorkloadsread/writeThe tunnel proxy has read/write access to SignadotExternalWorkloads (which are namespaced) in order to coordinate tunnel connections with workstations.

Controller Manager

The Controller Manager component is responsible for setting up all resources associated with a Sandbox. This includes forking a workload (Deployment, Argo Rollout, etc), setting up a SignadotRoute, a Kubernetes service and running any additional provisioning logic required per Sandbox.

SignadotSandboxes SignadotRouteGroups Resources SignadotExternalWorkloads SignadotObjectLifecycleMethods SignadotRoutes ForkedWorkloads RoutingConfigs IstioRoutesread / writeCRD objects created and managed by Signadot that contain declarative specifications of Sandboxes, Routes and Resources associated with them.
Deployments Replicasets Argo Rollouts Istio Virtualservices Jobs ConfigMaps Servicesread / writeUsed to create and manage workloads associated with Sandboxes. Note that resources not associated with a Sandbox are never modified by the controller-manager.
Signadot Mutating Webhook Configurationread / writeUsed to manage the Signadot mutating webhook that is used to dynamically inject DevMesh sidecars to enable request routing.

IO Context Server

The IO Context Server component is responsible for storing and serving intermediate results produced by the execution of the creation and deletion steps of Resources.

Secretsread / writeThe IO context server will read and write secrets within the signadot namespace