Skip to main content
Version: 0.16.0

Service Account permissions

This is an explanation of the kubernetes permissions used by the Weave GitOps service account. This is the service account used by the application itself (rather than the static user used for demo/emergency access, the permissions for which are covered in the static user permissions page)

The default permissions of the service account are defined in the helm chart which will generate a cluster role with the following permissions:

# Used to query the cluster
- apiGroups: [""]
resources: ["users", "groups"] # set by rbac.impersonationResources
verbs: [ "impersonate" ]
# resourceNames: [] # set by rbac.impersonationResourceNames
# Used to get OIDC/static user credentials for login
- apiGroups: [""]
resources: [ "secrets" ]
verbs: [ "get", "list" ]
resourceNames: # set by rbac.viewSecretsResourceNames
- "cluster-user-auth"
- "oidc-auth"
# The service account needs to read namespaces to know where it can query
- apiGroups: [ "" ]
resources: [ "namespaces" ]
verbs: [ "get", "list" ]

These allow the pod to do three things:

  • impersonate the user and operate in cluster as them
  • read the available namespaces (this is required to understand the users' permissions)
  • read the cluster-user-auth and oidc-auth secrets, which are the default secrets to store the cluster-user account and OIDC configuration (see securing access to the dashboard)

The Helm values

rbac.impersonationResourcesWhich resource types the service account can impersonate["users", "groups"]
rbac.impersonationResourceNamesSpecific users, groups or services account that can be impersonated[]
rbac.viewSecretsResourceNamesSpecific secrets that can be read["cluster-user-auth", "oidc-auth"]


The primary way Weave GitOps queries the Kube API is via impersonation, the application (not the cluster) authenticates the user (either via the static cluster-user credentials or OIDC) then makes calls to the Kube API on the user's behalf. This is equivalent to making a kubectl call like:

$ kubectl get deployments --as

Assuming the user has been granted permissions to get deployments within the cluster then this will return them. The same occurs within the application. This makes the proper configuration of the application's permissions very important as, without proper restrictions it can impersonate very powerful users or groups. For example, the system:masters is group is generally bound to the cluster-admin role which can do anything.

For more details of the permissions needed by the user or group see the user permissions guide.

Configuring impersonation

It is highly recommended that you limit which users and groups that the application can impersonate by setting rbac.impersonationResourceNames in the Helm chart's values. e.g.:

impersonationResources: ["groups"]
- admin
- dev-team
- qa-team

In this example the application can only impersonate the groups admin, dev-team and qa-team (this also, implicitly disables the static cluster-user).

Unfortunately not all OIDC providers support groups so you may need to manually enumerate users, for example:

impersonationResources: ["users"]
- wego-admin # enable the static cluster-user

A better, albeit more involved, solution is to set up an OIDC connector like Dex and use that to manage groups for you.

Get namespaces

The application itself uses get namespace permissions to pre-cache the list of available namespaces. As the user accesses resources their permissions within various namespaces is also cached to speed up future operations.

Reading the cluster-user-auth and oidc-auth secrets

The cluster-user-auth and oidc-auth secrets provide information for authenticating to the application. The former holds the username and bcrypt-hashed password for the static user and the later holds OIDC configuration.

The application needs to be able to access these secrets in order to authenticate users.

Configuring secrets

The rbac.viewSecretsResourceNames value allows the operator to change which secrets the application can read. This is mostly so that, if the static user is not configured, that secret can be removed; or if the secret to be used is re-named.