The controller operates with a tiered permission model. Some permissions are always active (the controller needs them to do its job), and others are on-demand - you control whether they’re enabled.Documentation Index
Fetch the complete documentation index at: https://docs.tensor9.com/llms.txt
Use this file to discover all available pages before exploring further.
Permission Tiers
Always Active
These permissions are required for the controller to function:| Tier | What It Does | Why It’s Needed |
|---|---|---|
| Steady-state | Monitors the application’s health, reads pod status and events | The controller needs to know if the application is running correctly |
| Install | Creates and updates infrastructure resources | Required for initial deployment and upgrades |
| Deploy | Creates and modifies application workloads | Required to deploy new versions of the application |
On-Demand (You Control These)
These permissions enable troubleshooting and operational support. They are off by default and can be enabled or disabled at any time:| Tier | What It Does | When You’d Enable It |
|---|---|---|
| Read-only operations | View logs, describe resources, check events | When we need to diagnose an issue without making changes |
| Read-write operations | Restart pods, apply patches | When we need to remediate an issue (e.g., restart a stuck pod) |
| Admin operations | Execute commands inside containers, port-forward | For deep troubleshooting of complex issues |
What the Controller Cannot Do
Regardless of which permission tiers are enabled:- Cannot access resources outside the deployment - The controller is scoped to the cluster dedicated to this deployment
- Cannot read your secrets - The controller can detect whether required secrets exist, but cannot read their values from outside its scope
- Cannot access your cloud account beyond the deployment - IAM roles (AWS) or service accounts (Kubernetes) are scoped to the specific resources the deployment manages
Implementation Details
- Kubernetes
- AWS
Each permission tier corresponds to:
- A ClusterRole - defines what actions are allowed on what resources
- A ClusterRoleBinding - grants those permissions to a service account
- A ServiceAccount - the identity the controller uses
Viewing Current Permissions
- Kubernetes
- AWS
List the active cluster role bindings:
Related
- Revoking Access - How to disable specific permission tiers
- Security Model - The overall security architecture