> ## Documentation Index
> Fetch the complete documentation index at: https://docs.tensor9.com/llms.txt
> Use this file to discover all available pages before exploring further.
# Permissions
The controller operates with a tiered permission model. Some permissions are always active (the controller needs them to do its job), and others are on-demand - you control whether they're enabled.
## Permission Tiers
### Always Active
These permissions are required for the controller to function:
| Tier | What It Does | Why It's Needed |
| ---------------- | -------------------------------------------------------------- | -------------------------------------------------------------------- |
| **Steady-state** | Monitors the application's health, reads pod status and events | The controller needs to know if the application is running correctly |
| **Install** | Creates and updates infrastructure resources | Required for initial deployment and upgrades |
| **Deploy** | Creates and modifies application workloads | Required to deploy new versions of the application |
### On-Demand (You Control These)
These permissions enable troubleshooting and operational support. They are off by default and can be enabled or disabled at any time:
| Tier | What It Does | When You'd Enable It |
| ------------------------- | ------------------------------------------------ | -------------------------------------------------------------- |
| **Read-only operations** | View logs, describe resources, check events | When we need to diagnose an issue without making changes |
| **Read-write operations** | Restart pods, apply patches | When we need to remediate an issue (e.g., restart a stuck pod) |
| **Admin operations** | Execute commands inside containers, port-forward | For deep troubleshooting of complex issues |
## What the Controller Cannot Do
Regardless of which permission tiers are enabled:
* **Cannot access resources outside the deployment** - The controller is scoped to the cluster dedicated to this deployment
* **Cannot read your secrets** - The controller can detect whether required secrets exist, but cannot read their values from outside its scope
* **Cannot access your cloud account beyond the deployment** - IAM roles (AWS) or service accounts (Kubernetes) are scoped to the specific resources the deployment manages
## Implementation Details
Each permission tier corresponds to:
* A **ClusterRole** - defines what actions are allowed on what resources
* A **ClusterRoleBinding** - grants those permissions to a service account
* A **ServiceAccount** - the identity the controller uses
This gives the controller cluster-wide visibility, which is appropriate because the entire cluster is dedicated to this deployment.
The controller's EC2 instance runs with an IAM instance profile. The attached IAM role grants:
* Access to the S3 bucket used for deployment state
* Permissions to manage the specific resources the deployment created
* No access to resources outside the deployment's scope
## Viewing Current Permissions
List the active cluster role bindings:
```bash theme={null}
kubectl get clusterrolebindings | grep
```
View the IAM role attached to the controller instance:
```bash theme={null}
aws iam get-role --role-name
aws iam list-attached-role-policies --role-name
```
## Related
* [Revoking Access](/customer/security/revoking-access) - How to disable specific permission tiers
* [Security Model](/customer/security/security-model) - The overall security architecture