RBAC & Permissions
KubeBolt auto-detects your kubeconfig's permissions and adapts automatically.
Permission Detection
- Uses
SelfSubjectAccessReviewAPI to testlistverb for 22 resource types - Two-phase: cluster-wide first, then namespace-level fallback for RoleBinding-based access
- Concurrent execution (semaphore of 10), completes in ~2-5 seconds
- If SSAR API itself is unavailable, falls back to assume full access
Access Levels
| Level | Backend | Frontend |
|---|---|---|
| Cluster-admin | All informers start normally | Full UI, no restrictions |
| Cluster read-only | Informers for permitted resources only | Restricted items dimmed, “Limited access” banner |
| Namespace-scoped | Per-namespace informer factories with multi-lister aggregation | Resources scoped to permitted namespaces |
Frontend Behavior
- “Limited access — showing X of Y resource types” banner
- Sidebar items dimmed with shield icon for restricted resources
- Summary cards show “No access” instead of “0”
- “No access to Nodes — capacity data unavailable” for node restrictions
PermissionDeniedcomponent for 403 resource pages
API Endpoint
GET /api/v1/cluster/permissions returns the full permission map per resource type with canList, canWatch, canGet, namespaceScoped, and namespaces fields.