Permissions

In order to operate Berlioz should have access to the GCP Project. There are multiple ways to do that. Choose Permissive, Reduced or Strict based on your needs.

Permissive

The simplest option. Allow full access to the project:

  • Project -> Owner

Reduced

This option reduces permission scope:

  • Project -> Editor
  • Project IAM Admin
  • Kubernetes Engine Admin
  • Pub/Sub Admin

Strict

The most strict option. If you decide to go this route make sure that you follow changes of permission requirements and update the roles accordingly. Apply following roles to berlioz-robot service account.

Download role definitions below.

Make sure to modify downloaded YAML files and set the project name in the name field.

Apply using CLI:

$ gcloud iam roles update berlioz.cloudsql --project <gcp-project-name> --file berlioz-cloudsql-role.yaml
$ gcloud iam roles update berlioz.functions --project <gcp-project-name> --file berlioz-functions-role.yaml
$ gcloud iam roles update berlioz.iam --project <gcp-project-name> --file berlioz-iam-role.yaml
$ gcloud iam roles update berlioz.kubernetes --project <gcp-project-name> --file berlioz-kubernetes-role.yaml
$ gcloud iam roles update berlioz.pubsub --project <gcp-project-name> --file berlioz-pubsub-role.yaml
$ gcloud iam roles update berlioz.storage --project <gcp-project-name> --file berlioz-storage-role.yaml

Default Roles

  • Service Account User

Custom Roles

Berlioz CloudSQL

  • cloudsql.instances.create
  • cloudsql.instances.delete
  • cloudsql.instances.get
  • cloudsql.instances.import
  • cloudsql.instances.list
  • cloudsql.instances.update

Berlioz Functions

  • cloudfunctions.functions.create
  • cloudfunctions.functions.delete
  • cloudfunctions.functions.get
  • cloudfunctions.functions.list
  • cloudfunctions.functions.update
  • cloudfunctions.locations.list
  • cloudfunctions.operations.get
  • cloudfunctions.operations.list

Berlioz IAM

  • iam.serviceAccountKeys.create
  • iam.serviceAccountKeys.delete
  • iam.serviceAccountKeys.get
  • iam.serviceAccountKeys.list
  • iam.serviceAccounts.create
  • iam.serviceAccounts.delete
  • iam.serviceAccounts.getIamPolicy
  • iam.serviceAccounts.setIamPolicy
  • iam.serviceAccounts.update
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.setIamPolicy

Berlioz Kubernetes

  • container.apiServices.create
  • container.apiServices.delete
  • container.apiServices.get
  • container.apiServices.list
  • container.apiServices.update
  • container.apiServices.updateStatus
  • container.backendConfigs.create
  • container.backendConfigs.delete
  • container.backendConfigs.get
  • container.backendConfigs.list
  • container.backendConfigs.update
  • container.bindings.create
  • container.bindings.delete
  • container.bindings.get
  • container.bindings.list
  • container.bindings.update
  • container.clusterRoleBindings.create
  • container.clusterRoleBindings.delete
  • container.clusterRoleBindings.get
  • container.clusterRoleBindings.list
  • container.clusterRoleBindings.update
  • container.clusterRoles.bind
  • container.clusterRoles.create
  • container.clusterRoles.delete
  • container.clusterRoles.get
  • container.clusterRoles.list
  • container.clusterRoles.update
  • container.clusters.get
  • container.clusters.getCredentials
  • container.clusters.list
  • container.componentStatuses.get
  • container.componentStatuses.list
  • container.configMaps.create
  • container.configMaps.delete
  • container.configMaps.get
  • container.configMaps.list
  • container.configMaps.update
  • container.controllerRevisions.create
  • container.controllerRevisions.delete
  • container.controllerRevisions.get
  • container.controllerRevisions.list
  • container.controllerRevisions.update
  • container.customResourceDefinitions.create
  • container.customResourceDefinitions.delete
  • container.customResourceDefinitions.get
  • container.customResourceDefinitions.list
  • container.customResourceDefinitions.update
  • container.customResourceDefinitions.updateStatus
  • container.daemonSets.create
  • container.daemonSets.delete
  • container.daemonSets.get
  • container.daemonSets.getStatus
  • container.daemonSets.list
  • container.daemonSets.update
  • container.daemonSets.updateStatus
  • container.deployments.create
  • container.deployments.delete
  • container.deployments.get
  • container.deployments.getScale
  • container.deployments.getStatus
  • container.deployments.list
  • container.deployments.rollback
  • container.deployments.update
  • container.deployments.updateScale
  • container.deployments.updateStatus
  • container.endpoints.create
  • container.endpoints.delete
  • container.endpoints.get
  • container.endpoints.list
  • container.endpoints.update
  • container.horizontalPodAutoscalers.create
  • container.horizontalPodAutoscalers.delete
  • container.horizontalPodAutoscalers.get
  • container.horizontalPodAutoscalers.getStatus
  • container.horizontalPodAutoscalers.list
  • container.horizontalPodAutoscalers.update
  • container.horizontalPodAutoscalers.updateStatus
  • container.ingresses.create
  • container.ingresses.delete
  • container.ingresses.get
  • container.ingresses.getStatus
  • container.ingresses.list
  • container.ingresses.update
  • container.ingresses.updateStatus
  • container.namespaces.create
  • container.namespaces.delete
  • container.namespaces.get
  • container.namespaces.getStatus
  • container.namespaces.list
  • container.namespaces.update
  • container.namespaces.updateStatus
  • container.persistentVolumeClaims.create
  • container.persistentVolumeClaims.delete
  • container.persistentVolumeClaims.get
  • container.persistentVolumeClaims.getStatus
  • container.persistentVolumeClaims.list
  • container.persistentVolumeClaims.update
  • container.persistentVolumeClaims.updateStatus
  • container.persistentVolumes.create
  • container.persistentVolumes.delete
  • container.persistentVolumes.get
  • container.persistentVolumes.getStatus
  • container.persistentVolumes.list
  • container.persistentVolumes.update
  • container.persistentVolumes.updateStatus
  • container.pods.get
  • container.pods.getStatus
  • container.pods.list
  • container.replicaSets.create
  • container.replicaSets.delete
  • container.replicaSets.get
  • container.replicaSets.getScale
  • container.replicaSets.getStatus
  • container.replicaSets.list
  • container.replicaSets.update
  • container.replicaSets.updateScale
  • container.replicaSets.updateStatus
  • container.replicationControllers.create
  • container.replicationControllers.delete
  • container.replicationControllers.get
  • container.replicationControllers.getScale
  • container.replicationControllers.getStatus
  • container.replicationControllers.list
  • container.replicationControllers.update
  • container.replicationControllers.updateScale
  • container.replicationControllers.updateStatus
  • container.roleBindings.create
  • container.roleBindings.delete
  • container.roleBindings.get
  • container.roleBindings.list
  • container.roleBindings.update
  • container.roles.bind
  • container.roles.create
  • container.roles.delete
  • container.roles.get
  • container.roles.list
  • container.roles.update
  • container.secrets.create
  • container.secrets.delete
  • container.secrets.get
  • container.secrets.list
  • container.secrets.update
  • container.serviceAccounts.create
  • container.serviceAccounts.delete
  • container.serviceAccounts.get
  • container.serviceAccounts.list
  • container.serviceAccounts.update
  • container.services.create
  • container.services.delete
  • container.services.get
  • container.services.getStatus
  • container.services.list
  • container.services.proxy
  • container.services.update
  • container.services.updateStatus
  • container.statefulSets.create
  • container.statefulSets.delete
  • container.statefulSets.get
  • container.statefulSets.getScale
  • container.statefulSets.getStatus
  • container.statefulSets.list
  • container.statefulSets.update
  • container.statefulSets.updateScale
  • container.statefulSets.updateStatus
  • container.thirdPartyObjects.create
  • container.thirdPartyObjects.delete
  • container.thirdPartyObjects.get
  • container.thirdPartyObjects.list
  • container.thirdPartyObjects.update

Berlioz PubSub

  • pubsub.subscriptions.create
  • pubsub.subscriptions.delete
  • pubsub.subscriptions.get
  • pubsub.subscriptions.getIamPolicy
  • pubsub.subscriptions.list
  • pubsub.subscriptions.setIamPolicy
  • pubsub.subscriptions.update
  • pubsub.topics.attachSubscription
  • pubsub.topics.create
  • pubsub.topics.delete
  • pubsub.topics.get
  • pubsub.topics.getIamPolicy
  • pubsub.topics.list
  • pubsub.topics.setIamPolicy
  • pubsub.topics.update

Berlioz Storage

  • storage.buckets.create
  • storage.buckets.delete
  • storage.buckets.get
  • storage.buckets.getIamPolicy
  • storage.buckets.list
  • storage.buckets.setIamPolicy
  • storage.buckets.update
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • storage.objects.list
  • storage.objects.update