Permissions required

These RBAC permissions are mandatory for the installation of the ARMO chart.

Cluster roles

Name	apiGroups	Resources	Verbs
kubescape		"pods", "pods/proxy", "namespaces", "secrets", "nodes", "configmaps", "services", "serviceaccounts", "endpoints", "persistentvolumeclaims", "limitranges", "replicationcontrollers", "podtemplates", "resourcequotas", "events"	- get - watch - list
		"namespaces"	- update
	admissionregistration.k8s.io	"mutatingwebhookconfigurations", "validatingwebhookconfigurations"	- get - watch - list
	apiregistration.k8s.io	"apiservices"	- get - watch - list
	apps	"deployments", "statefulsets", "daemonsets", "replicasets", "controllerrevisions"	- get - watch - list
	autoscaling	"horizontalpodautoscalers"	- get - watch - list
	batch	"jobs", "cronjobs"	- get - watch - list
	coordination.k8s.io	"leases"	- get - watch - list
	discovery.k8s.io	"endpointslices"	- get - watch - list
	events.k8s.io	"events"	- get - watch - list
	hostdata.kubescape.cloud	"APIServerInfo", "ControlPlaneInfo"	- get - watch - list
	networking.k8s.io	"networkpolicies", "Ingress"	- get - watch - list
	policy	"poddisruptionbudgets", "podsecuritypolicies", "PodSecurityPolicy"	- get - watch - list
	rbac.authorization.k8s.io	"clusterroles", "clusterrolebindings", "roles", "rolebindings"	- get - watch - list
	storage.k8s.io	"csistoragecapacities"	- get - watch - list
	networking.k8s.io	"ingresses"	- get - watch - list
	extensions	"Ingress"	- get - watch - list
	spdx.softwarecomposition.kubescape.io	"workloadconfigurationscans", "workloadconfigurationscansummaries"	- create - update - patch
kubevuln	spdx.softwarecomposition.kubescape.io	"vulnerabilitymanifests", "vulnerabilitymanifestsummaries", "sbomsummaries", "sbomspdxv2p3s"	- create - get - update - watch - list - patch
	spdx.softwarecomposition.kubescape.io	"sbomspdxv2p3filtereds"	- get - watch - list
node-agent		"pods", "nodes"	- get - watch - list
		"events"	- list - watch - create
	apps	"deployments", "daemonsets", "statefulsets", "replicasets"	- get - watch - list
	batch	"jobs", "cronjobs"	- get - watch - list
	spdx.softwarecomposition.kubescape.io	"sbomspdxv2p3s", "sbomsummaries"	- get - watch - list
	spdx.softwarecomposition.kubescape.io	"sbomspdxv2p3filtereds", "applicationactivities", "applicationprofiles", "applicationprofilesummaries"	- create - get - update - watch - list - patch
operator		"pods", "nodes", "namespaces", "configmaps", "secrets"	- get - watch - list
	apps	"deployments", "daemonsets", "statefulsets", "replicasets"	- get - watch - list
	batch	"jobs", "cronjobs"	- get - watch - list
	spdx.softwarecomposition.kubescape.io	"sbomspdxv2p3s", "sbomspdxv2p3filtereds", "vulnerabilitymanifests", "sbomsummaries", "vulnerabilitymanifestsummaries", "workloadconfigurationscans", "workloadconfigurationscansummaries"	- get - watch - list - delete
storage		namespaces	- get - watch - list
	admissionregistration.k8s.io	"mutatingwebhookconfigurations", "validatingwebhookconfigurations"	- get - watch - list
	flowcontrol.apiserver.k8s.io	"prioritylevelconfigurations", "flowschemas"	- get - watch - list

Cluster Role Bindings

Name	roleRef (kind/name)	Subjects (kind/namespace/name)
kubescape	ClusterRole/kubescape	ServiceAccount/kubescape/kubescape
kubevuln	ClusterRole/kubevuln	ServiceAccount/kubescape/kubevuln
node-agent	ClusterRole/node-agent	ServiceAccount/kubescape/node-agent
operator	ClusterRole/operator	ServiceAccount/kubescape/operator
storage	ClusterRole/storage system:auth-delegator	ServiceAccount/kubescape/storage

Roles

Name	apiGroups	Resources	Verbs
kubescape	apps	daemonsets	- create - get - update - watch - list - patch - delete
operator		"configmaps", "secrets"	- create - get - update - watch - list - patch - delete
	batch	"cronjobs"	- create - get - update - watch - list - patch - delete

Role Bindings

Name	roleRef (kind/name)	Subjects (kind/namespace/name)
kubescape	Role/kubescape	ServiceAccount/kubescape/kubescape
operator	Role/operator	ServiceAccount/kubescape/operator