Docs

Operate Permissions

Read-only permissions for observing existing customer environments.

Operate needs enough access to list resources and read health. It does not need create, update, delete, secret-read, object-read, queue-read, or database-read permissions.

Kubernetes

The Operator needs read permissions for the selected namespaces and workload types:

  • get, list, and watch on workloads and Pods
  • read access to metrics APIs when CPU and memory are shown

For namespace-scoped installs, bind those permissions only in the selected namespace. Use cluster-scoped access only when one Operator must observe workloads across namespaces.

When log collection is enabled, Alien uses a Fluent Bit DaemonSet that reads node log files and posts to the Operator's in-cluster service. The Operator does not need pods/log API access for that path.

AWS

Use a dedicated account for Operate when possible. AWS resource discovery uses account-level tagging APIs, so discovery cannot be fully constrained by tag or prefix. Operate does not require object data access to S3, message access to SQS, secret value access, or database reads.

GCP

Scope access to the project that contains the customer's BYOC deployment. Operate uses inventory and monitoring reads. It does not need permissions to read object contents, secret values, Pub/Sub messages, or database rows.

Azure

Scope access to the resource group that contains the deployment. Operate uses Resource Graph and metrics reads. It does not need data-plane permissions for Blob Storage, Key Vault secret values, Service Bus messages, or databases.

Revocation

The customer can uninstall the Operator or remove the read-only identity at any time. Alien should show the deployment as disconnected once heartbeats stop.

On this page