Operate Permissions
Read-only permissions for observing existing customer environments.
Operate needs enough access to list resources and read health. It does not need create, update, delete, secret-read, object-read, queue-read, or database-read permissions.
Kubernetes
The Operator needs read permissions for the selected namespaces and workload types:
get,list, andwatchon workloads and Pods- read access to metrics APIs when CPU and memory are shown
For namespace-scoped installs, bind those permissions only in the selected namespace. Use cluster-scoped access only when one Operator must observe workloads across namespaces.
When log collection is enabled, Alien uses a Fluent Bit DaemonSet that reads node log files and posts to the Operator's in-cluster service. The Operator does not need pods/log API access for that path.
AWS
Use a dedicated account for Operate when possible. AWS resource discovery uses account-level tagging APIs, so discovery cannot be fully constrained by tag or prefix. Operate does not require object data access to S3, message access to SQS, secret value access, or database reads.
GCP
Scope access to the project that contains the customer's BYOC deployment. Operate uses inventory and monitoring reads. It does not need permissions to read object contents, secret values, Pub/Sub messages, or database rows.
Azure
Scope access to the resource group that contains the deployment. Operate uses Resource Graph and metrics reads. It does not need data-plane permissions for Blob Storage, Key Vault secret values, Service Bus messages, or databases.
Revocation
The customer can uninstall the Operator or remove the read-only identity at any time. Alien should show the deployment as disconnected once heartbeats stop.