Required Permissions for Kubernetes
- Updated2026-05-14
- 2 minute(s) read
This section describes the Kubernetes RBAC permissions that are required to install, operate, and upgrade SystemLink Enterprise.
Installation Requirements
SystemLink Enterprise installation uses two Helm charts that require different permission levels.
SystemLink Admin Helm chart:The SystemLink Admin Helm chart installs cluster-wide prerequisites including the Flink Operator and its Custom Resource Definitions (CRDs).
A user with the built-in Kubernetes cluster-admin ClusterRole can install this chart. If your organization requires a more restrictive role, the installer needs permissions to:
- Create and manage Custom Resource Definitions (CRDs)
- Create and manage ClusterRoles and ClusterRoleBindings
- Create and manage ValidatingWebhookConfigurations and MutatingWebhookConfigurations
- Create Deployments, Services, ConfigMaps, Secrets, and ServiceAccounts
The SystemLink Helm chart installs SystemLink Enterprise services.
A user with namespace administrator privileges can install this chart. If your organization requires a more restrictive role, the installer needs permissions to:
- Create and manage Deployments, StatefulSets, Services, ConfigMaps, Secrets, and ServiceAccounts in the target namespace
- Create and manage Ingress and NetworkPolicy resources in the target namespace
- Create and manage RBAC resources (Roles, RoleBindings) in the target namespace
Elasticsearch is an optional feature that enhances search performance for certain services (such as FileIngestion).
The SystemLink Elasticsearch chart deploys Elasticsearch for SystemLink Enterprise.
A user with namespace administrator privileges can install this chart. If your organization requires a more restrictive role, the installer needs permissions to:
- Create and manage Deployments, StatefulSets, Services, ConfigMaps, Secrets, and ServiceAccounts in the target namespace
- Create and manage PersistentVolumeClaims in the target namespace
For more information on deploying and configuring Elasticsearch for SystemLink Enterprise, see the Elasticsearch Deployment Guide.
Cloud-specific requirements:Operations Requirements
The built-in Kubernetes view ClusterRole provides sufficient read access for most day-to-day monitoring and troubleshooting needs. For comprehensive monitoring, the operator also needs:
- Read access to Nodes, Namespaces, PersistentVolumes, and StorageClasses at the cluster level
- Read access to Argo Workflows and Flink custom resources in the namespace
For Helm chart upgrades that do not involve CRD or operator changes:
The user needs permissions to update Deployments, StatefulSets, Services, ConfigMaps, Secrets, Ingresses, and custom resources within the SystemLink Enterprise namespace.
Upgrade Scenarios Requiring Elevated Permissions
Some upgrades require cluster-level permissions. Review the release notes for each version to determine if you need elevated permissions. Scenarios that typically require cluster administrator privileges include:
- CRD-related changes
- Operator-related changes
Summary
| Operation | Minimum Required Role |
|---|---|
| Install SystemLink Admin Helm chart | cluster-admin or equivalent custom role |
| Install SystemLink Helm chart | Namespace administrator |
| Install SystemLink Elasticsearch Helm chart | Namespace administrator |
| Monitor SystemLink Enterprise | view ClusterRole (namespace-scoped) plus cluster read access |
| Routine Helm upgrades | Namespace administrator |
| Upgrades with CRD/operator changes | cluster-admin or equivalent custom role |
Related Information
- Validating the Install
Test that SystemLink Enterprise installed correctly.
- Kubernetes RBAC Documentation
- Elasticsearch Deployment Guide
- Updating SystemLink Enterprise
Modify the configuration or upgrade to a newer version of the SystemLink Enterprise application.