copyright

lastupdated

keywords

subcollection

years
2014, 2019

2019-07-26

kubernetes, iks

containers

{:new_window: target="blank"} {:shortdesc: .shortdesc} {:screen: .screen} {:pre: .pre} {:table: .aria-labeledby="caption"} {:codeblock: .codeblock} {:tip: .tip} {:note: .note} {:important: .important} {:deprecated: .deprecated} {:download: .download} {:preview: .preview}

User access permissions

{: #access_reference}

When you assign cluster permissions, it can be hard to judge which role you need to assign to a user. Use the tables in the following sections to determine the minimum level of permissions that are required to perform common tasks in {{site.data.keyword.containerlong}}. {: shortdesc}

{{site.data.keyword.cloud_notm}} IAM platform roles

{: #iam_platform}

{{site.data.keyword.containerlong_notm}} is configured to use {{site.data.keyword.cloud_notm}} Identity and Access Management (IAM) roles. {{site.data.keyword.cloud_notm}} IAM platform roles determine the actions that users can perform on {{site.data.keyword.cloud_notm}} resources such as clusters, worker nodes, and Ingress application load balancers (ALBs). {{site.data.keyword.cloud_notm}} IAM platform roles also automatically set basic infrastructure permissions for users. To set platform roles, see Assigning {{site.data.keyword.cloud_notm}} IAM platform permissions. {: shortdesc}

Do not assign {{site.data.keyword.cloud_notm}} IAM platform roles at the same time as a service role. You must assign platform and service roles separately.

In each of the following sections, the tables show cluster management, logging, and Ingress permissions granted by each {{site.data.keyword.cloud_notm}} IAM platform role. The tables are organized alphabetically by CLI command name.

Actions requiring no permissions
Viewer actions
Editor actions
Operator actions
Administrator actions

Actions requiring no permissions

{: #none-actions}

Any user in your account who runs the CLI command or makes the API call for the action in the following table sees the result, even if the user has no assigned permissions. {: shortdesc}

Overview of CLI commands and API calls that require no permissions in {{site.data.keyword.containerlong_notm}}

Action	CLI command	API call
View a list of supported versions for managed add-ons in {{site.data.keyword.containerlong_notm}}.	`[ibmcloud ks addon-versions](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_addon_versions)`	`[GET /v1/addon](https://containers.cloud.ibm.com/global/swagger-global-api/#/util/GetAddons)`
Target or view the API endpoint for {{site.data.keyword.containerlong_notm}}.	`[ibmcloud ks api](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_cli_api)`	-
View a list of supported commands and parameters.	`[ibmcloud ks help](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_help)`	-
Initialize the {{site.data.keyword.containerlong_notm}} plug-in or specify the region where you want to create or access Kubernetes clusters.	`[ibmcloud ks init](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_init)`	-
Deprecated: View a list of Kubernetes versions supported in {{site.data.keyword.containerlong_notm}}.	`[ibmcloud ks kube-versions](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_kube_versions)`	`[GET /v1/kube-versions](https://containers.cloud.ibm.com/global/swagger-global-api/#/util/GetKubeVersions)`
View a list of available machine types for your worker nodes.	`[ibmcloud ks machine-types](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_machine_types)`	`[GET /v1/datacenters/{datacenter}/machine-types](https://containers.cloud.ibm.com/global/swagger-global-api/#/util/GetDatacenterMachineTypes)`
View current messages for the IBMid user.	`[ibmcloud ks messages](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_messages)`	`[GET /v1/messages](https://containers.cloud.ibm.com/global/swagger-global-api/#/util/GetMessages)`
Deprecated: Find the {{site.data.keyword.containerlong_notm}} region that you are currently in.	`[ibmcloud ks region](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_region)`	-
Deprecated: Set the region for {{site.data.keyword.containerlong_notm}}.	`[ibmcloud ks region-set](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_region-set)`	-
Deprecated: List the available regions.	`[ibmcloud ks regions](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_regions)`	`[GET /v1/regions](https://containers.cloud.ibm.com/global/swagger-global-api/#/util/GetRegions)`
View a list of supported locations in {{site.data.keyword.containerlong_notm}}.	`[ibmcloud ks supported-locations](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_supported-locations)`	`[GET /v1/locations](https://containers.cloud.ibm.com/global/swagger-global-api/#/util/ListLocations)`
View a list of supported versions in {{site.data.keyword.containerlong_notm}}.	`[ibmcloud ks versions](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_versions_command)`	-
View a list of available zones that you can create a cluster in.	`[ibmcloud ks zones](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_datacenters)`	`[GET /v1/zones](https://containers.cloud.ibm.com/global/swagger-global-api/#/util/GetZones)`

Viewer actions

{: #view-actions}

The Viewer platform role includes the actions that require no permissions, plus the permissions that are shown in the following table. With the Viewer role, users such as auditors or billing can see cluster details but not modify the infrastructure. {: shortdesc}

Overview of CLI commands and API calls that require the Viewer platform role in {{site.data.keyword.containerlong_notm}}

Action	CLI command	API call
View information for an Ingress ALB.	`[ibmcloud ks alb-get](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_alb_get)`	`[GET /albs/{albId}](https://containers.cloud.ibm.com/global/swagger-global-api/#/alb/GetClusterALB)`
View ALB types that are supported in the region.	`[ibmcloud ks alb-types](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_alb_types)`	`[GET /albtypes](https://containers.cloud.ibm.com/global/swagger-global-api/#/util/GetAvailableALBTypes)`
List all Ingress ALBs in a cluster.	`[ibmcloud ks albs](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_albs)`	`[GET /clusters/{idOrName}](https://containers.cloud.ibm.com/global/swagger-global-api/#/alb/GetClusterALBs)`
View the name and email address for the owner of the {{site.data.keyword.cloud_notm}} IAM API key for a resource group and region.	`[ibmcloud ks api-key-info](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_api_key_info)`	`[GET /v1/logging/{idOrName}/clusterkeyowner](https://containers.cloud.ibm.com/global/swagger-global-api/#/logging/GetClusterKeyOwner)`
Download Kubernetes configuration data and certificates to connect to your cluster and run `kubectl` commands.	`[ibmcloud ks cluster-config](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_cluster_config)`	`[GET /v1/clusters/{idOrName}/config](https://containers.cloud.ibm.com/global/swagger-global-api/#/clusters/GetClusterConfig)`
View information for a cluster.	`[ibmcloud ks cluster-get](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_cluster_get)`	`[GET /v1/clusters/{idOrName}](https://containers.cloud.ibm.com/global/swagger-global-api/#/clusters/GetCluster)`
List all services in all namespaces that are bound to a cluster.	`[ibmcloud ks cluster-services](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_cluster_services)`	`[GET /v1/clusters/{idOrName}/services](https://containers.cloud.ibm.com/global/swagger-global-api/#/clusters/ListServicesForAllNamespaces)`
List all clusters.	`[ibmcloud ks clusters](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_clusters)`	`[GET /v1/clusters](https://containers.cloud.ibm.com/global/swagger-global-api/#/clusters/GetClusters)`
Get the infrastructure credentials that are set for the {{site.data.keyword.cloud_notm}} account to access a different IBM Cloud infrastructure portfolio.	`[ibmcloud ks credential-get](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_credential_get)`	`[GET /v1/credentials](https://containers.cloud.ibm.com/global/swagger-global-api/#/accounts/GetUserCredentials)`
Check whether the credentials that allow access to the IBM Cloud infrastructure portfolio for the targeted region and resource group are missing suggested or required infrastructure permissions.	`[ibmcloud ks infra-permissions-get](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#infra_permissions_get)`	`[GET /v1/infra-permissions](https://containers.cloud.ibm.com/global/swagger-global-api/#/accounts/GetInfraPermissions)`
View the status for automatic updates of the Fluentd add-on.	`[ibmcloud ks logging-autoupdate-get](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_log_autoupdate_get)`	`[GET /v1/logging/{idOrName}/updatepolicy](https://containers.cloud.ibm.com/global/swagger-global-api/#/logging/GetUpdatePolicy)`
View the default logging endpoint for the targeted region.	-	`[GET /v1/logging/{idOrName}/default](https://containers.cloud.ibm.com/global/swagger-global-api/#/logging/GetDefaultLoggingEndpoint)`
List all log forwarding configurations in the cluster or for a specific log source in the cluster.	`[ibmcloud ks logging-config-get](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_logging_get)`	`[GET /v1/logging/{idOrName}/loggingconfig](https://containers.cloud.ibm.com/global/swagger-global-api/#/logging/FetchLoggingConfigs) and [GET /v1/logging/{idOrName}/loggingconfig/{logSource}](https://containers.cloud.ibm.com/global/swagger-global-api/#/logging/FetchLoggingConfigsForSource)`
View information for a log filtering configuration.	`[ibmcloud ks logging-filter-get](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_log_filter_view)`	`[GET /v1/logging/{idOrName}/filterconfigs/{id}](https://containers.cloud.ibm.com/global/swagger-global-api/#/filter/FetchFilterConfig)`
List all logging filter configurations in the cluster.	`[ibmcloud ks logging-filter-get](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_log_filter_view)`	`[GET /v1/logging/{idOrName}/filterconfigs](https://containers.cloud.ibm.com/global/swagger-global-api/#/filter/FetchFilterConfigs)`
List all services that are bound to a specific namespace.	-	`[GET /v1/clusters/{idOrName}/services/{namespace}](https://containers.cloud.ibm.com/global/swagger-global-api/#/clusters/ListServicesInNamespace)`
List all user-managed subnets that are bound to a cluster.	-	`[GET /v1/clusters/{idOrName}/usersubnets](https://containers.cloud.ibm.com/global/swagger-global-api/#/clusters/GetClusterUserSubnet)`
List available subnets in the infrastructure account.	`[ibmcloud ks subnets](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_subnets)`	`[GET /v1/subnets](https://containers.cloud.ibm.com/global/swagger-global-api/#/properties/ListSubnets)`
View the VLAN spanning status for the infrastructure account.	`[ibmcloud ks vlan-spanning-get](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_vlan_spanning_get)`	`[GET /v1/subnets/vlan-spanning](https://containers.cloud.ibm.com/global/swagger-global-api/#/accounts/GetVlanSpanning)`
When set for one cluster: List VLANs that the cluster is connected to in a zone. When set for all clusters in the account: List all available VLANs in a zone.	`[ibmcloud ks vlans](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_vlans)`	`[GET /v1/datacenters/{datacenter}/vlans](https://containers.cloud.ibm.com/global/swagger-global-api/#/properties/GetDatacenterVLANs)`
List all webhooks for a cluster.	-	`[GET /v1/clusters/{idOrName}/webhooks](https://containers.cloud.ibm.com/global/swagger-global-api/#/clusters/GetClusterWebhooks)`
View information for a worker node.	`[ibmcloud ks worker-get](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_worker_get)`	`[GET /v1/clusters/{idOrName}/workers/{workerId}](https://containers.cloud.ibm.com/global/swagger-global-api/#/clusters/GetWorkers)`
View information for a worker pool.	`[ibmcloud ks worker-pool-get](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_worker_pool_get)`	`[GET /v1/clusters/{idOrName}/workerpools/{poolidOrName}](https://containers.cloud.ibm.com/global/swagger-global-api/#/clusters/GetWorkerPool)`
List all worker pools in a cluster.	`[ibmcloud ks worker-pools](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_worker_pools)`	`[GET /v1/clusters/{idOrName}/workerpools](https://containers.cloud.ibm.com/global/swagger-global-api/#/clusters/GetWorkerPools)`
List all worker nodes in a cluster.	`[ibmcloud ks workers](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_workers)`	`[GET /v1/clusters/{idOrName}/workers](https://containers.cloud.ibm.com/global/swagger-global-api/#/clusters/GetClusterWorkers)`

Editor actions

{: #editor-actions}

The Editor platform role includes the permissions that are granted by Viewer, plus the following. With the Editor role, users such as developers can bind services, work with Ingress resources, and set up log forwarding for their apps but cannot modify the infrastructure. Tip: Use this role for app developers, and assign the Cloud Foundry Developer role. {: shortdesc}

Overview of CLI commands and API calls that require the Editor platform role in {{site.data.keyword.containerlong_notm}}

Action	CLI command	API call
Disable automatic updates for the Ingress ALB add-on.	`[ibmcloud ks alb-autoupdate-disable](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_alb_autoupdate_disable)`	`[PUT /clusters/{idOrName}/updatepolicy](https://containers.cloud.ibm.com/global/swagger-global-api/#/alb/ChangeUpdatePolicy)`
Enable automatic updates for the Ingress ALB add-on.	`[ibmcloud ks alb-autoupdate-enable](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_alb_autoupdate_enable)`	`[PUT /clusters/{idOrName}/updatepolicy](https://containers.cloud.ibm.com/global/swagger-global-api/#/alb/ChangeUpdatePolicy)`
Check whether automatic updates for the Ingress ALB add-on are enabled.	`[ibmcloud ks alb-autoupdate-get](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_alb_autoupdate_get)`	`[GET /clusters/{idOrName}/updatepolicy](https://containers.cloud.ibm.com/global/swagger-global-api/#/alb/GetUpdatePolicy)`
Enable or disable an Ingress ALB.	`[ibmcloud ks alb-configure](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_alb_configure)`	`[POST /albs](https://containers.cloud.ibm.com/global/swagger-global-api/#/alb/EnableALB) and [DELETE /albs/{albId}](https://containers.cloud.ibm.com/global/swagger-global-api/#/)`
Roll back the Ingress ALB add-on update to the build that your ALB pods were previously running.	`[ibmcloud ks alb-rollback](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_alb_rollback)`	`[PUT /clusters/{idOrName}/updaterollback](https://containers.cloud.ibm.com/global/swagger-global-api/#/alb/RollbackUpdate)`
Force a one-time update of your ALB pods by manually updating the Ingress ALB add-on.	`[ibmcloud ks alb-update](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_alb_update)`	`[PUT /clusters/{idOrName}/update](https://containers.cloud.ibm.com/global/swagger-global-api/#/alb/UpdateALBs)`
Create an API server audit webhook.	`[ibmcloud ks apiserver-config-set](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_apiserver_config_set)`	`[PUT /v1/clusters/{idOrName}/apiserverconfigs/auditwebhook](https://containers.cloud.ibm.com/global/swagger-global-api/#/clusters/apiserverconfigs/UpdateAuditWebhook)`
Delete an API server audit webhook.	`[ibmcloud ks apiserver-config-unset](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_apiserver_config_unset)`	`[DELETE /v1/clusters/{idOrName}/apiserverconfigs/auditwebhook](https://containers.cloud.ibm.com/global/swagger-global-api/#/apiserverconfigs/DeleteAuditWebhook)`
Bind a service to a cluster. Note: You must have the Cloud Foundry Developer role for the space that you service instance is in.	`[ibmcloud ks cluster-service-bind](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_cluster_service_bind)`	`[POST /v1/clusters/{idOrName}/services](https://containers.cloud.ibm.com/global/swagger-global-api/#/clusters/BindServiceToNamespace)`
Unbind a service from a cluster. Note: You must have the Cloud Foundry Developer role for the space that you service instance is in.	`[ibmcloud ks cluster-service-unbind](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_cluster_service_unbind)`	`[DELETE /v1/clusters/{idOrName}/services/{namespace}/{serviceInstanceId}](https://containers.cloud.ibm.com/global/swagger-global-api/#/clusters/UnbindServiceFromNamespace)`
Create a log forwarding configuration for all log sources except `kube-audit`.	`[ibmcloud ks logging-config-create](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_logging_create)`	`[POST /v1/logging/{idOrName}/loggingconfig/{logSource}](https://containers.cloud.ibm.com/global/swagger-global-api/#/logging/CreateLoggingConfig)`
Refresh a log forwarding configuration.	`[ibmcloud ks logging-config-refresh](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_logging_refresh)`	`[PUT /v1/logging/{idOrName}/refresh](https://containers.cloud.ibm.com/global/swagger-global-api/#/logging/RefreshLoggingConfig)`
Delete a log forwarding configuration for all log sources except `kube-audit`.	`[ibmcloud ks logging-config-rm](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_logging_rm)`	`[DELETE /v1/logging/{idOrName}/loggingconfig/{logSource}/{id}](https://containers.cloud.ibm.com/global/swagger-global-api/#/logging/DeleteLoggingConfig)`
Delete all log forwarding configurations for a cluster.	-	`[DELETE /v1/logging/{idOrName}/loggingconfig](https://containers.cloud.ibm.com/global/swagger-global-api/#/logging/DeleteLoggingConfigs)`
Update a log forwarding configuration.	`[ibmcloud ks logging-config-update](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_logging_update)`	`[PUT /v1/logging/{idOrName}/loggingconfig/{logSource}/{id}](https://containers.cloud.ibm.com/global/swagger-global-api/#/logging/UpdateLoggingConfig)`
Create a log filtering configuration.	`[ibmcloud ks logging-filter-create](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_log_filter_create)`	`[POST /v1/logging/{idOrName}/filterconfigs](https://containers.cloud.ibm.com/global/swagger-global-api/#/filter/CreateFilterConfig)`
Delete a log filtering configuration.	`[ibmcloud ks logging-filter-rm](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_log_filter_delete)`	`[DELETE /v1/logging/{idOrName}/filterconfigs/{id}](https://containers.cloud.ibm.com/global/swagger-global-api/#/filter/DeleteFilterConfig)`
Delete all logging filter configurations for the Kubernetes cluster.	-	`[DELETE /v1/logging/{idOrName}/filterconfigs](https://containers.cloud.ibm.com/global/swagger-global-api/#/filter/DeleteFilterConfigs)`
Update a log filtering configuration.	`[ibmcloud ks logging-filter-update](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_log_filter_update)`	`[PUT /v1/logging/{idOrName}/filterconfigs/{id}](https://containers.cloud.ibm.com/global/swagger-global-api/#/filter/UpdateFilterConfig)`
Add one NLB IP address to an existing NLB host name.	`[ibmcloud ks nlb-dns-add](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_nlb-dns-add)`	`[PUT /clusters/{idOrName}/add](https://containers.cloud.ibm.com/global/swagger-global-api/#/nlb-dns-beta/UpdateDNSWithIP)`
Create a DNS host name to register an NLB IP address.	`[ibmcloud ks nlb-dns-create](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_nlb-dns-create)`	`[POST /clusters/{idOrName}/register](https://containers.cloud.ibm.com/global/swagger-global-api/#/nlb-dns-beta/RegisterDNSWithIP)`
List the NLB host names and IP addresses that are registered in a cluster.	`[ibmcloud ks nlb-dnss](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_nlb-dns-ls)`	`[GET /clusters/{idOrName}/list](https://containers.cloud.ibm.com/global/swagger-global-api/#/nlb-dns-beta/ListNLBIPsForSubdomain)`
Remove an NLB IP address from a host name.	`[ibmcloud ks nlb-dns-rm](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_nlb-dns-rm)`	`[DELETE /clusters/{idOrName}/host/{nlbHost}/ip/{nlbIP}/remove](https://containers.cloud.ibm.com/global/swagger-global-api/#/nlb-dns-beta/UnregisterDNSWithIP)`
Configure and optionally enable a health check monitor for an existing NLB host name in a cluster.	`[ibmcloud ks nlb-dns-monitor-configure](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_nlb-dns-monitor-configure)`	`[POST /health/clusters/{idOrName}/config](https://containers.cloud.ibm.com/global/swagger-global-api/#/nlb-health-monitor-beta/AddNlbDNSHealthMonitor)`
View the settings for an existing health check monitor.	`[ibmcloud ks nlb-dns-monitor-get](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_nlb-dns-monitor-get)`	`[GET /health/clusters/{idOrName}/host/{nlbHost}/config](https://containers.cloud.ibm.com/global/swagger-global-api/#/nlb-health-monitor-beta/GetNlbDNSHealthMonitor)`
Disable an existing health check monitor for a host name in a cluster.	`[ibmcloud ks nlb-dns-monitor-disable](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_nlb-dns-monitor-disable)`	`[PUT /clusters/{idOrName}/health](https://containers.cloud.ibm.com/global/swagger-global-api/#/nlb-health-monitor-beta/UpdateNlbDNSHealthMonitor)`
Enable a health check monitor that you configured.	`[ibmcloud ks nlb-dns-monitor-enable](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_nlb-dns-monitor-enable)`	`[PUT /clusters/{idOrName}/health](https://containers.cloud.ibm.com/global/swagger-global-api/#/nlb-health-monitor-beta/UpdateNlbDNSHealthMonitor)`
List the health check monitor settings for each NLB host name in a cluster.	`[ibmcloud ks nlb-dns-monitor-ls](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_nlb-dns-monitor-ls)`	`[GET /health/clusters/{idOrName}/list](https://containers.cloud.ibm.com/global/swagger-global-api/#/nlb-health-monitor-beta/ListNlbDNSHealthMonitors)`
List the health check status of each IP address that is registered with an NLB host name in a cluster.	`[ibmcloud ks nlb-dns-monitor-status](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_nlb-dns-monitor-status)`	`[GET /health/clusters/{idOrName}/status](https://containers.cloud.ibm.com/global/swagger-global-api/#/nlb-health-monitor-beta/ListNlbDNSHealthMonitorStatus)`
Create a webhook in a cluster.	`[ibmcloud ks webhook-create](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_webhook_create)`	`[POST /v1/clusters/{idOrName}/webhooks](https://containers.cloud.ibm.com/global/swagger-global-api/#/clusters/AddClusterWebhooks)`

Operator actions

{: #operator-actions}

The Operator platform role includes the permissions that are granted by Viewer, plus the permissions that are shown in the following table. With the Operator role, users such as site reliability engineers, DevOps engineers, or cluster administrators can add worker nodes and troubleshoot infrastructure such as by reloading a worker node, but cannot create or delete the cluster, change the credentials, or set up cluster-wide features like service endpoints or managed add-ons. {: shortdesc}

Overview of CLI commands and API calls that require the Operator platform role in {{site.data.keyword.containerlong_notm}}

Action	CLI command	API call
Refresh the Kubernetes master.	`[ibmcloud ks apiserver-refresh](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_apiserver_refresh) (cluster-refresh)`	`[PUT /v1/clusters/{idOrName}/masters](https://containers.cloud.ibm.com/global/swagger-global-api/#/clusters/HandleMasterAPIServer)`
Make an {{site.data.keyword.cloud_notm}} IAM service ID for the cluster, create a policy for the service ID that assigns the Reader service access role in {{site.data.keyword.registrylong_notm}}, and then create an API key for the service ID.	`[ibmcloud ks cluster-pull-secret-apply](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_cluster_pull_secret_apply)`	-
Add a subnet to a cluster.	`[ibmcloud ks cluster-subnet-add](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_cluster_subnet_add)`	`[PUT /v1/clusters/{idOrName}/subnets/{subnetId}](https://containers.cloud.ibm.com/global/swagger-global-api/#/clusters/AddClusterSubnet)`
Create a subnet and add it to a cluster.	`[ibmcloud ks cluster-subnet-create](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_cluster_subnet_create)`	`[POST /v1/clusters/{idOrName}/vlans/{vlanId}](https://containers.cloud.ibm.com/global/swagger-global-api/#/clusters/CreateClusterSubnet)`
Update a cluster.	`[ibmcloud ks cluster-update](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_cluster_update)`	`[PUT /v1/clusters/{idOrName}](https://containers.cloud.ibm.com/global/swagger-global-api/#/clusters/UpdateCluster)`
Add a user-managed subnet to a cluster.	`[ibmcloud ks cluster-user-subnet-add](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_cluster_user_subnet_add)`	`[POST /v1/clusters/{idOrName}/usersubnets](https://containers.cloud.ibm.com/global/swagger-global-api/#/clusters/AddClusterUserSubnet)`
Remove a user-managed subnet from a cluster.	`[ibmcloud ks cluster-user-subnet-rm](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_cluster_user_subnet_rm)`	`[DELETE /v1/clusters/{idOrName}/usersubnets/{subnetId}/vlans/{vlanId}](https://containers.cloud.ibm.com/global/swagger-global-api/#/clusters/RemoveClusterUserSubnet)`
Add worker nodes.	`[ibmcloud ks worker-add (deprecated)](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_worker_add)`	`[POST /v1/clusters/{idOrName}/workers](https://containers.cloud.ibm.com/global/swagger-global-api/#/clusters/AddClusterWorkers)`
Create a worker pool.	`[ibmcloud ks worker-pool-create](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_worker_pool_create)`	`[POST /v1/clusters/{idOrName}/workerpools](https://containers.cloud.ibm.com/global/swagger-global-api/#/clusters/CreateWorkerPool)`
Rebalance a worker pool.	`[ibmcloud ks worker-pool-rebalance](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_rebalance)`	`[PATCH /v1/clusters/{idOrName}/workerpools/{poolidOrName}](https://containers.cloud.ibm.com/global/swagger-global-api/#/clusters/PatchWorkerPool)`
Resize a worker pool.	`[ibmcloud ks worker-pool-resize](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_worker_pool_resize)`	`[PATCH /v1/clusters/{idOrName}/workerpools/{poolidOrName}](https://containers.cloud.ibm.com/global/swagger-global-api/#/clusters/PatchWorkerPool)`
Delete a worker pool.	`[ibmcloud ks worker-pool-rm](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_worker_pool_rm)`	`[DELETE /v1/clusters/{idOrName}/workerpools/{poolidOrName}](https://containers.cloud.ibm.com/global/swagger-global-api/#/clusters/RemoveWorkerPool)`
Reboot a worker node.	`[ibmcloud ks worker-reboot](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_worker_reboot)`	`[PUT /v1/clusters/{idOrName}/workers/{workerId}](https://containers.cloud.ibm.com/global/swagger-global-api/#/clusters/UpdateClusterWorker)`
Reload a worker node.	`[ibmcloud ks worker-reload](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_worker_reload)`	`[PUT /v1/clusters/{idOrName}/workers/{workerId}](https://containers.cloud.ibm.com/global/swagger-global-api/#/clusters/UpdateClusterWorker)`
Remove a worker node.	`[ibmcloud ks worker-rm](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_worker_rm)`	`[DELETE /v1/clusters/{idOrName}/workers/{workerId}](https://containers.cloud.ibm.com/global/swagger-global-api/#/clusters/RemoveClusterWorker)`
Update a worker node.	`[ibmcloud ks worker-update](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_worker_update)`	`[PUT /v1/clusters/{idOrName}/workers/{workerId}](https://containers.cloud.ibm.com/global/swagger-global-api/#/clusters/UpdateClusterWorker)`
Add a zone to a worker pool.	`[ibmcloud ks zone-add](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_zone_add)`	`[POST /v1/clusters/{idOrName}/workerpools/{poolidOrName}/zones](https://containers.cloud.ibm.com/global/swagger-global-api/#/clusters/AddWorkerPoolZone)`
Update the network configuration for a given zone in a worker pool.	`[ibmcloud ks zone-network-set](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_zone_network_set)`	`[PATCH /v1/clusters/{idOrName}/workerpools/{poolidOrName}/zones/{zoneid}](https://containers.cloud.ibm.com/global/swagger-global-api/#/clusters/AddWorkerPoolZoneNetwork)`
Remove a zone a from worker pool.	`[ibmcloud ks zone-rm](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_zone_rm)`	`[DELETE /v1/clusters/{idOrName}/workerpools/{poolidOrName}/zones/{zoneid}](https://containers.cloud.ibm.com/global/swagger-global-api/#/clusters/RemoveWorkerPoolZone)`

Administrator actions

{: #admin-actions}

The Administrator platform role includes all permissions that are granted by the Viewer, Editor, and Operator roles, plus the following. With the Administrator role, users such as cluster or account administrators can create and delete clusters or set up cluster-wide features like service endpoints or managed add-ons. To create order such infrastructure resources such as worker node machines, VLANs, and subnets, Administrator users need the Super user infrastructure role or the API key for the region must be set with the appropriate permissions. {: shortdesc}

Overview of CLI commands and API calls that require the Administrator platform role in {{site.data.keyword.containerlong_notm}}

Action	CLI command	API call
Beta: Deploy or update a certificate from your {{site.data.keyword.cloudcerts_long_notm}} instance to an ALB.	`[ibmcloud ks alb-cert-deploy](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_alb_cert_deploy)`	`[POST /albsecrets](https://containers.cloud.ibm.com/global/swagger-global-api/#/alb/CreateALBSecret) or [PUT /albsecrets](https://containers.cloud.ibm.com/global/swagger-global-api/#/alb-beta/UpdateALBSecret)`
Beta: View details for an ALB secret in a cluster.	`[ibmcloud ks alb-cert-get](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_alb_cert_get)`	`[GET /clusters/{idOrName}/albsecrets](https://containers.cloud.ibm.com/global/swagger-global-api/#/alb-beta/ViewClusterALBSecrets)`
Beta: Remove an ALB secret from a cluster.	`[ibmcloud ks alb-cert-rm](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_alb_cert_rm)`	`[DELETE /clusters/{idOrName}/albsecrets](https://containers.cloud.ibm.com/global/swagger-global-api/#/alb-beta/DeleteClusterALBSecrets)`
List all ALB secrets in a cluster.	`[ibmcloud ks alb-certs](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_alb_certs)`	-
Set the API key for the {{site.data.keyword.cloud_notm}} account to access the linked IBM Cloud infrastructure portfolio.	`[ibmcloud ks api-key-reset](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_api_key_reset)`	`[POST /v1/keys](https://containers.cloud.ibm.com/global/swagger-global-api/#/accounts/ResetUserAPIKey)`
Disable a managed add-on, such Istio or Knative, in a cluster.	`[ibmcloud ks cluster-addon-disable](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_cluster_addon_disable)`	`[PATCH /v1/clusters/{idOrName}/addons](https://containers.cloud.ibm.com/global/swagger-global-api/#/clusters/ManageClusterAddons)`
Enable a managed add-on, such Istio or Knative, in a cluster.	`[ibmcloud ks cluster-addon-enable](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_cluster_addon_enable)`	`[PATCH /v1/clusters/{idOrName}/addons](https://containers.cloud.ibm.com/global/swagger-global-api/#/clusters/ManageClusterAddons)`
List managed add-ons, such as Istio or Knative, that are enabled in a cluster.	`[ibmcloud ks cluster-addons](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_cluster_addons)`	`[GET /v1/clusters/{idOrName}/addons](https://containers.cloud.ibm.com/global/swagger-global-api/#/clusters/GetClusterAddons)`
Create a free or standard cluster. Note: The Administrator platform role for {{site.data.keyword.registrylong_notm}} and the Super User infrastructure role are also required.	`[ibmcloud ks cluster-create](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_cluster_create)`	`[POST /v1/clusters](https://containers.cloud.ibm.com/global/swagger-global-api/#/clusters/CreateCluster)`
Disable a specified feature for a cluster, such as the public service endpoint for the cluster master.	`[ibmcloud ks cluster-feature-disable](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_cluster_feature_disable)`	-
Enable a specified feature for a cluster, such as the private service endpoint for the cluster master.	`[ibmcloud ks cluster-feature-enable](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_cluster_feature_enable)`	-
Delete a cluster.	`[ibmcloud ks cluster-rm](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_cluster_rm)`	`[DELETE /v1/clusters/{idOrName}](https://containers.cloud.ibm.com/global/swagger-global-api/#/clusters/RemoveCluster)`
Set infrastructure credentials for the {{site.data.keyword.cloud_notm}} account to access a different IBM Cloud infrastructure portfolio.	`[ibmcloud ks credential-set](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_credentials_set)`	`[POST /v1/credentials](https://containers.cloud.ibm.com/global/swagger-global-api/#/clusters/accounts/StoreUserCredentials)`
Remove infrastructure credentials for the {{site.data.keyword.cloud_notm}} account to access a different IBM Cloud infrastructure portfolio.	`[ibmcloud ks credential-unset](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_credentials_unset)`	`[DELETE /v1/credentials](https://containers.cloud.ibm.com/global/swagger-global-api/#/clusters/accounts/RemoveUserCredentials)`
Beta: Encrypt Kubernetes secrets by using {{site.data.keyword.keymanagementservicefull}}.	`[ibmcloud ks key-protect-enable](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_messages)`	`[POST /v1/clusters/{idOrName}/kms](https://containers.cloud.ibm.com/global/swagger-global-api/#/clusters/CreateKMSConfig)`
Disable automatic updates for the Fluentd cluster add-on.	`[ibmcloud ks logging-autoupdate-disable](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_log_autoupdate_disable)`	`[PUT /v1/logging/{idOrName}/updatepolicy](https://containers.cloud.ibm.com/global/swagger-global-api/#/logging/ChangeUpdatePolicy)`
Enable automatic updates for the Fluentd cluster add-on.	`[ibmcloud ks logging-autoupdate-enable](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_log_autoupdate_enable)`	`[PUT /v1/logging/{idOrName}/updatepolicy](https://containers.cloud.ibm.com/global/swagger-global-api/#/logging/ChangeUpdatePolicy)`
Collect a snapshot of API server logs in an {{site.data.keyword.cos_full_notm}} bucket.	`[ibmcloud ks logging-collect](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_log_collect)`	[POST /v1/log-collector/{idOrName}/masterlogs](https://containers.cloud.ibm.com/global/swagger-global-api/#/log45collector/CreateMasterLogCollection)
See the status of the API server logs snapshot request.	`[ibmcloud ks logging-collect-status](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_log_collect_status)`	[GET /v1/log-collector/{idOrName}/masterlogs](https://containers.cloud.ibm.com/global/swagger-global-api/#/log45collector/GetMasterLogCollectionStatus)
Create a log forwarding configuration for the `kube-audit` log source.	`[ibmcloud ks logging-config-create](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_logging_create)`	`[POST /v1/logging/{idOrName}/loggingconfig/{logSource}](https://containers.cloud.ibm.com/global/swagger-global-api/#/logging/CreateLoggingConfig)`
Delete a log forwarding configuration for the `kube-audit` log source.	`[ibmcloud ks logging-config-rm](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_logging_rm)`	`[DELETE /v1/logging/{idOrName}/loggingconfig/{logSource}/{id}](https://containers.cloud.ibm.com/global/swagger-global-api/#/logging/DeleteLoggingConfig)`

{{site.data.keyword.cloud_notm}} IAM service roles

{: #service}

Every user who is assigned an {{site.data.keyword.cloud_notm}} IAM service access role is also automatically assigned a corresponding Kubernetes role-based access control (RBAC) role in a specific namespace. To learn more about service access roles, see {{site.data.keyword.cloud_notm}} IAM service roles. Do not assign {{site.data.keyword.cloud_notm}} IAM platform roles at the same time as a service role. You must assign platform and service roles separately. {: shortdesc}

Looking for which Kubernetes actions each service role grants through RBAC? See Kubernetes resource permissions per RBAC role. To learn more about RBAC roles, see Assigning RBAC permissions and Extending existing permissions by aggregating cluster roles. {: tip}

The following table shows the Kubernetes resource permissions that are granted by each service role and its corresponding RBAC role.

Kubernetes resource permissions by service and corresponding RBAC roles

Service role	Corresponding RBAC role, binding, and scope	Kubernetes resource permissions
Reader role	When scoped to one namespace: `view` cluster role applied by the `ibm-view` role binding in that namespace When scoped to all namespaces: `view` cluster role applied by the `ibm-view` role binding in each namespace of the cluster	Read access to resources in a namespace No read access to roles and role bindings or to Kubernetes secrets Access the Kubernetes dashboard to view resources in a namespace
Writer role	When scoped to one namespace: `edit` cluster role applied by the `ibm-edit` role binding in that namespace When scoped to all namespaces: `edit` cluster role applied by the `ibm-edit` role binding in each namespace of the cluster	Read/write access to resources in a namespace No read/write access to roles and role bindings Access the Kubernetes dashboard to view resources in a namespace
Manager role	When scoped to one namespace: `admin` cluster role applied by the `ibm-operate` role binding in that namespace When scoped to all namespaces: `cluster-admin` cluster role applied by the `ibm-admin` cluster role binding that applies to all namespaces	When scoped to one namespace: Read/write access to all resources in a namespace but not to resource quota or the namespace itself Create RBAC roles and role bindings in a namespace Access the Kubernetes dashboard to view all resources in a namespace When scoped to all namespaces: Read/write access to all resources in every namespace Create RBAC roles and role bindings in a namespace or cluster roles and cluster role bindings in all namespaces Access the Kubernetes dashboard Create an Ingress resource that makes apps publicly available Review cluster metrics such as with the `kubectl top pods`, `kubectl top nodes`, or `kubectl get nodes` commands
Any service role	OpenShift clusters only: All users of an OpenShift cluster are given the `basic-users` and `self-provisioners` cluster roles as applied by the `basic-users` and `self-provisioners` cluster role bindings.	Get basic information about projects that the user has access to. Create authorized resources in the projects that the user has access to. For more information, see the [OpenShift docs ![External link icon](../icons/launch-glyph.svg "External link icon")](https://docs.openshift.com/container-platform/3.11/admin_guide/manage_rbac.html).

Kubernetes resource permissions per RBAC role

{: #rbac_ref}

Every user who is assigned an {{site.data.keyword.cloud_notm}} IAM service access role is also automatically assigned a corresponding, predefined Kubernetes role-based access control (RBAC) role. If you plan to manage your own custom Kubernetes RBAC roles, see Creating custom RBAC permissions for users, groups, or service accounts. {: shortdesc}

Wondering if you have the correct permissions to run a certain kubectl command on a resource in a namespace? Try the kubectl auth can-i command External link icon . {: tip}

The following table shows the permissions that are granted by each RBAC role to individual Kubernetes resources. Permissions are shown as which verbs a user with that role can complete against the resource, such as "get", "list", "describe", "create", or "delete".

Kubernetes resource permissions granted by each predefined RBAC role

Cloud Foundry roles

{: #cloud-foundry}

Cloud Foundry roles grant access to organizations and spaces within the account. To see the list of Cloud Foundry-based services in {{site.data.keyword.cloud_notm}}, run ibmcloud service list. To learn more, see all available org and space roles or the steps for managing Cloud Foundry access in the {{site.data.keyword.cloud_notm}} IAM documentation. {: shortdesc}

The following table shows the Cloud Foundry roles that are required for cluster action permissions.

Cluster management permissions by Cloud Foundry role

Cloud Foundry role	Cluster management permissions
Space role: Manager	Manage user access to an {{site.data.keyword.cloud_notm}} space
Space role: Developer	Create {{site.data.keyword.cloud_notm}} service instances Bind {{site.data.keyword.cloud_notm}} service instances to clusters View logs from a cluster's log forwarding configuration at the space level

Classic infrastructure roles

{: #infra}

A user with the Super User infrastructure access role sets the API key for a region and resource group so that infrastructure actions can be performed (or more rarely, manually sets different account credentials). Then, the infrastructure actions that other users in the account can perform is authorized through {{site.data.keyword.cloud_notm}} IAM platform roles. You do not need to edit the other users' classic infrastructure permissions. Use the following table to customize users' classic infrastructure permissions only when you can't assign Super User to the user who sets the API key. For instructions to assign permissions, see Customizing infrastructure permissions. {: shortdesc}

Need to check that the API key or manually-set credentials have the required and suggested infrastructure permissions? Use the ibmcloud ks infra-permissions-get command. {: tip}

The following table shows the classic infrastructure permissions that the credentials for a region and resource group can have for creating clusters and other common use cases. The description includes how you can assign the permission in the {{site.data.keyword.cloud_notm}} IAM Classic infrastructure console or the ibmcloud sl command. For more information, see the instructions for the console or CLI.

Create clusters: Classic infrastructure permissions that you must have to create a cluster. When you run ibmcloud ks infra-permissions-get, these permissions are listed as Required.
Other common use cases: Classic infrastructure permissions that you must have for other common scenarios. Even if you have permission to create a cluster, some limitations might apply. For example, you might not be able to create or work with a cluster with bare metal worker nodes or a public IP address. After cluster creation, further steps to add networking or storage resources might fail. When you run ibmcloud ks infra-permissions-get, these permissions are listed as Suggested.

Permission	Description	IAM Assign Policy Console	CLI
IPMI Remote Management	Manage worker nodes.	Classic infrastructure > Permissions > Devices	`ibmcloud sl user permission-edit <user_id> --permission REMOTE_MANAGEMENT --enable true`
Add Server	Add worker nodes. For worker nodes that have public IP addresses, you also need the Add Compute with Public Network Port permission.	Classic infrastructure > Permissions > Account	`ibmcloud sl user permission-edit <user_id> --permission SERVER_ADD --enable true`
Cancel Server	Delete worker nodes.	Classic infrastructure > Permissions > Account	`ibmcloud sl user permission-edit <user_id> --permission SERVER_CANCEL --enable true`
OS Reloads and Rescue Kernel	Update, reboot, and reload worker nodes.	Classic infrastructure > Permissions > Devices	`ibmcloud sl user permission-edit <user_id> --permission SERVER_RELOAD --enable true`
View Virtual Server Details	Required if the cluster has VM worker nodes. List and get details of VM worker nodes.	Classic infrastructure > Permissions > Devices	`ibmcloud sl user permission-edit <user_id> --permission VIRTUAL_GUEST_VIEW --enable true`
View Hardware Details	Required if the cluster has bare metal worker nodes. List and get details of bare metal worker nodes.	Classic infrastructure > Permissions > Devices	`ibmcloud sl user permission-edit <user_id> --permission HARDWARE_VIEW --enable true`
Add Support Case	As part of the cluster creation automation, support cases are opened to provision the cluster infrastructure.	Assign access to account management services > Support Center > Administrator	`ibmcloud sl user permission-edit <user_id> --permission TICKET_ADD --enable true`
Edit Support Case	As part of the cluster creation automation, support cases are updated to provision the cluster infrastructure.	Assign access to account management services > Support Center > Administrator	`ibmcloud sl user permission-edit <user_id> --permission TICKET_EDIT --enable true`
View Support Case	As part of the cluster creation automation, support cases are used to provision the cluster infrastructure.	Assign access to account management services > Support Center > Administrator	`ibmcloud sl user permission-edit <user_id> --permission TICKET_VIEW --enable true`
{: class="simple-tab-table"}
{: caption="Required classic infrastructure permissions" caption-side="top"}
{: #classic-permissions-required}
{: tab-title="Create clusters"}
{: tab-group="Classic infrastructure permissions"}

Permission	Description	IAM Assign Policy Console	CLI
Access All Virtual	Designate access to all VM worker nodes. Without this permission, a user who creates one cluster might not be able to view the VM worker nodes of another cluster even if the user has IAM access to both clusters.	Classic infrastructure > Devices > Check All virtual servers and Auto virtual server access	`ibmcloud sl user permission-edit <user_id> --permission ACCESS_ALL_GUEST --enable true`
Access All Hardware	Designate access to all bare metal worker nodes. Without this permission, a user who creates one cluster might not be able to view the bare metal worker nodes of another cluster even if the user has IAM access to both clusters.	Classic infrastructure > Devices > Check All virtual servers and Auto virtual server access	`ibmcloud sl user permission-edit <user_id> --permission ACCESS_ALL_HARDWARE --enable true`
Add Compute with Public Network Port	Let worker nodes have a port that can be accessible on the public network.	Classic infrastructure > Permissions > Network	`ibmcloud sl user permission-edit <user_id> --permission PUBLIC_NETWORK_COMPUTE --enable true`
Manage DNS	Set up public load balancer or Ingress networking to expose apps.	Classic infrastructure > Permissions > Services	`ibmcloud sl user permission-edit <user_id> --permission DNS_MANAGE --enable true`
Edit Hostname/Domain	Set up public load balancer or Ingress networking to expose apps.	Classic infrastructure > Permissions > Devices	`ibmcloud sl user permission-edit <user_id> --permission HOSTNAME_EDIT --enable true`
Add IP Addresses	Add IP addresses to public or private subnets that are used for cluster load balancing.	Classic infrastructure > Permissions > Network	`ibmcloud sl user permission-edit <user_id> --permission IP_ADD --enable true`
Manage Network Subnet Routes	Manage public and private VLANs and subnets that are used for cluster load balancing.	Classic infrastructure > Permissions > Network	`ibmcloud sl user permission-edit <user_id> --permission NETWORK_ROUTE_MANAGE --enable true`
Manage Port Control	Manage ports that are used for app load balancing.	Classic infrastructure > Permissions > Devices	`ibmcloud sl user permission-edit <user_id> --permission PORT_CONTROL --enable true`
Manage Certificates (SSL)	Set up certificates that are used for cluster load balancing.	Classic infrastructure > Permissions > Services	`ibmcloud sl user permission-edit <user_id> --permission SECURITY_CERTIFICATE_MANAGE --enable true`
View Certificates (SSL)	Set up certificates that are used for cluster load balancing.	Classic infrastructure > Permissions > Services	`ibmcloud sl user permission-edit <user_id> --permission SECURITY_CERTIFICATE_MANAGE --enable true`
Add/Upgrade Storage (StorageLayer)	Create {{site.data.keyword.cloud_notm}} File or Block storage instances to attach as volumes to your apps for persistent storage of data.	Classic infrastructure > Permissions > Account	`ibmcloud sl user permission-edit <user_id> --permission ADD_SERVICE_STORAGE --enable true`
Storage Manage	Manage {{site.data.keyword.cloud_notm}} File or Block storage instances that are attached as volumes to your apps for persistent storage of data.	Classic infrastructure > Permissions > Services	`ibmcloud sl user permission-edit <user_id> --permission NAS_MANAGE --enable true`
{: class="simple-tab-table"}
{: caption="Suggested classic infrastructure permissions" caption-side="top"}
{: #classic-permissions-suggested}
{: tab-title="Other common use cases"}
{: tab-group="Classic infrastructure permissions"}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

cs_access_reference.md

cs_access_reference.md

User access permissions

{{site.data.keyword.cloud_notm}} IAM platform roles

Actions requiring no permissions

Viewer actions

Editor actions

Operator actions

Administrator actions

{{site.data.keyword.cloud_notm}} IAM service roles

Kubernetes resource permissions per RBAC role

Cloud Foundry roles

Classic infrastructure roles

Kubernetes resource	`view`	`edit`	`admin` and `cluster-admin`
`bindings`	`get`, `list`, `watch`	`get`, `list`, `watch`	`get`, `list`, `watch`
`configmaps`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`cronjobs.batch`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`daemonsets.apps`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`daemonsets.extensions`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`deployments.apps`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`deployments.apps/rollback`	-	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`deployments.apps/scale`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`deployments.extensions`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`deployments.extensions/rollback`	-	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`deployments.extensions/scale`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`endpoints`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`events`	`get`, `list`, `watch`	`get`, `list`, `watch`	`get`, `list`, `watch`
`horizontalpodautoscalers.autoscaling`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`ingresses.extensions`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`jobs.batch`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`limitranges`	`get`, `list`, `watch`	`get`, `list`, `watch`	`get`, `list`, `watch`
`localsubjectaccessreviews`	-	-	`create`
`namespaces`	`get`, `list`, `watch`	`get`, `list`, `watch`	`get`, `list`, `watch` cluster-admin only: `create`, `delete`
`namespaces/status`	`get`, `list`, `watch`	`get`, `list`, `watch`	`get`, `list`, `watch`
`networkpolicies`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`networkpolicies.extensions`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`persistentvolumeclaims`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`poddisruptionbudgets.policy`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`pods`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `top`, `patch`, `update`, `watch`
`pods/attach`	-	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`pods/exec`	-	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`pods/log`	`get`, `list`, `watch`	`get`, `list`, `watch`	`get`, `list`, `watch`
`pods/portforward`	-	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`pods/proxy`	-	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`pods/status`	`get`, `list`, `watch`	`get`, `list`, `watch`	`get`, `list`, `watch`
`replicasets.apps`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`replicasets.apps/scale`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`replicasets.extensions`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`replicasets.extensions/scale`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`replicationcontrollers`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`replicationcontrollers/scale`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`replicationcontrollers/status`	`get`, `list`, `watch`	`get`, `list`, `watch`	`get`, `list`, `watch`
`replicationcontrollers.extensions/scale`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`resourcequotas`	`get`, `list`, `watch`	`get`, `list`, `watch`	`get`, `list`, `watch`
`resourcequotas/status`	`get`, `list`, `watch`	`get`, `list`, `watch`	`get`, `list`, `watch`
`rolebindings`	-	-	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`roles`	-	-	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`secrets`	-	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`serviceaccounts`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`, `impersonate`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`, `impersonate`
`services`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`services/proxy`	-	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`statefulsets.apps`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`
`statefulsets.apps/scale`	`get`, `list`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`	`create`, `delete`, `deletecollection`, `get`, `list`, `patch`, `update`, `watch`

Files

cs_access_reference.md

Latest commit

History

cs_access_reference.md

File metadata and controls

User access permissions

{{site.data.keyword.cloud_notm}} IAM platform roles

Actions requiring no permissions

Viewer actions

Editor actions

Operator actions

Administrator actions

{{site.data.keyword.cloud_notm}} IAM service roles

Kubernetes resource permissions per RBAC role

Cloud Foundry roles

Classic infrastructure roles