Role Permissions Reference
This page lists the full Kubernetes Role-Based Access Control (RBAC) permissions that PaletteAI grants to each Tenant and Project role. For an overview of each role and how OpenID Connect (OIDC) groups bind to roles, refer to the Roles and Permissions concept page.
In the tables below, * means the role has full access to the resource (get, list, watch, create, update, patch, delete).
Tenant Role Permissions
When you create a Tenant, PaletteAI automatically creates a role named prj-<project-name>-tnt-adm in each Project namespace with the following permissions.
| Resources | Permissions | API |
|---|---|---|
ConfigMap | * | v1 |
Event | * | v1 |
PersistentVolumeClaim | * | v1 |
Pod | * | v1 |
Secret | * | v1 |
Service | * | v1 |
ServiceAccount | * | v1 |
| All resources | * | apps |
HelmRepository | get, list, watch, create, update, patch, delete | source.toolkit.fluxcd.io |
OCIRepository | get, list, watch, create, update, patch, delete | source.toolkit.fluxcd.io |
AIWorkload | * | spectrocloud.com/v1alpha1 |
Compute | * | spectrocloud.com/v1alpha1 |
ComputeConfig | * | spectrocloud.com/v1alpha1 |
ComputePool | * | spectrocloud.com/v1alpha1 |
ComputePoolEvaluation | * | spectrocloud.com/v1alpha1 |
Project | * | spectrocloud.com/v1alpha1 |
ScalingPolicy | * | spectrocloud.com/v1alpha1 |
Settings | * | spectrocloud.com/v1alpha1 |
ComponentDefinition | * | spectrocloud.com/v1beta1 |
DefinitionRevision | * | spectrocloud.com/v1beta1 |
Environment | * | spectrocloud.com/v1beta1 |
PolicyDefinition | * | spectrocloud.com/v1beta1 |
ProfileBundle | * | spectrocloud.com/v1beta1 |
TraitDefinition | * | spectrocloud.com/v1beta1 |
VariableSet | * | spectrocloud.com/v1beta1 |
Workload | * | spectrocloud.com/v1beta1 |
WorkloadDeployment | * | spectrocloud.com/v1beta1 |
WorkloadProfile | * | spectrocloud.com/v1beta1 |
Hub | * | fleetconfig.open-cluster-management.io/v1beta1 |
Spoke | * | fleetconfig.open-cluster-management.io/v1beta1 |
All OIDC groups in the Tenant tenantRoleMapping bind to this single role through one RoleBinding.
Tenant Admin Cluster Permissions
Tenant admins also receive a ClusterRole named mural-tenant-admin and a matching ClusterRoleBinding with create-only permissions, enabling Project and resource creation cluster-wide.
| Resources | Permissions | API |
|---|---|---|
Secret | create | v1 |
ComputeConfig | create | spectrocloud.com/v1alpha1 |
Project | create | spectrocloud.com/v1alpha1 |
Settings | create | spectrocloud.com/v1alpha1 |
Tenant Namespace Permissions
All Project users (Viewers, Editors, Admins, and Tenant admins) receive view-only access to the Tenant namespace through a Role named mural-tenant-viewer and a matching RoleBinding. This enables access to Tenant-level configuration such as Settings and Secrets.
| Resources | Permissions | API |
|---|---|---|
Secret | get, list, watch | v1 |
Settings | get, list, watch | spectrocloud.com/v1alpha1 |
Project Role Permissions
Each Project automatically creates three distinct roles with escalating permissions.
Viewer Role Permissions
The Viewer role can view all resources but cannot make any modifications.
| Resources | Permissions | API |
|---|---|---|
ConfigMap | get, list, watch | v1 |
Event | get, list, watch | v1 |
PersistentVolumeClaim | get, list, watch | v1 |
Pod | get, list, watch | v1 |
Secret | get, list, watch | v1 |
Service | get, list, watch | v1 |
ServiceAccount | get, list, watch | v1 |
| All resources | get, list, watch | apps |
HelmRepository | get, list, watch | source.toolkit.fluxcd.io |
OCIRepository | get, list, watch | source.toolkit.fluxcd.io |
AIWorkload | get, list, watch | spectrocloud.com/v1alpha1 |
Compute | get, list, watch | spectrocloud.com/v1alpha1 |
ComputeConfig | get, list, watch | spectrocloud.com/v1alpha1 |
ComputePool | get, list, watch | spectrocloud.com/v1alpha1 |
ComputePoolEvaluation | get, list, watch | spectrocloud.com/v1alpha1 |
Project | get, list, watch | spectrocloud.com/v1alpha1 |
ScalingPolicy | get, list, watch | spectrocloud.com/v1alpha1 |
Settings | get, list, watch | spectrocloud.com/v1alpha1 |
ComponentDefinition | get, list, watch | spectrocloud.com/v1beta1 |
DefinitionRevision | get, list, watch | spectrocloud.com/v1beta1 |
Environment | get, list, watch | spectrocloud.com/v1beta1 |
PolicyDefinition | get, list, watch | spectrocloud.com/v1beta1 |
ProfileBundle | get, list, watch | spectrocloud.com/v1beta1 |
TraitDefinition | get, list, watch | spectrocloud.com/v1beta1 |
VariableSet | get, list, watch | spectrocloud.com/v1beta1 |
Workload | get, list, watch | spectrocloud.com/v1beta1 |
WorkloadDeployment | get, list, watch | spectrocloud.com/v1beta1 |
WorkloadProfile | get, list, watch | spectrocloud.com/v1beta1 |
Editor Role Permissions
The Editor role can deploy and manage AIWorkload resources within their assigned Project.
| Resources | Permissions | API |
|---|---|---|
ConfigMap | get, list, watch, create, update, patch, delete | v1 |
Event | get, list, watch, create, update, patch, delete | v1 |
PersistentVolumeClaim | get, list, watch, create, update, patch, delete | v1 |
Pod | get, list, watch, create, update, patch, delete | v1 |
Secret | get, list, watch, create, update, patch, delete | v1 |
Service | get, list, watch, create, update, patch, delete | v1 |
ServiceAccount | get, list, watch, create, update, patch, delete | v1 |
| All resources | get, list, watch, create, update, patch, delete | apps |
HelmRepository | get, list, watch, create, update, patch, delete | source.toolkit.fluxcd.io |
OCIRepository | get, list, watch, create, update, patch, delete | source.toolkit.fluxcd.io |
AIWorkload | get, list, watch, create, update, patch, delete | spectrocloud.com/v1alpha1 |
Compute | get, list, watch, create, update, patch, delete | spectrocloud.com/v1alpha1 |
ComputeConfig | get, list, watch, create, update, patch, delete | spectrocloud.com/v1alpha1 |
ComputePool | get, list, watch | spectrocloud.com/v1alpha1 |
ComputePoolEvaluation | get, list, watch, create, update, patch, delete | spectrocloud.com/v1alpha1 |
Project | get, list, watch | spectrocloud.com/v1alpha1 |
ScalingPolicy | get, list, watch, create, update, patch, delete | spectrocloud.com/v1alpha1 |
Settings | get, list, watch | spectrocloud.com/v1alpha1 |
ComponentDefinition | get, list, watch | spectrocloud.com/v1beta1 |
DefinitionRevision | get, list, watch | spectrocloud.com/v1beta1 |
Environment | get, list, watch | spectrocloud.com/v1beta1 |
PolicyDefinition | get, list, watch | spectrocloud.com/v1beta1 |
ProfileBundle | get, list, watch, create, update, patch, delete | spectrocloud.com/v1beta1 |
TraitDefinition | get, list, watch | spectrocloud.com/v1beta1 |
VariableSet | get, list, watch, update, patch | spectrocloud.com/v1beta1 |
Workload | get, list, watch | spectrocloud.com/v1beta1 |
WorkloadDeployment | get, list, watch | spectrocloud.com/v1beta1 |
WorkloadProfile | get, list, watch, create, update, patch, delete | spectrocloud.com/v1beta1 |
Admin Role Permissions
The Admin role has full control over all resources and configurations in the Project scope.
| Resources | Permissions | API |
|---|---|---|
ConfigMap | * | v1 |
Event | * | v1 |
PersistentVolumeClaim | * | v1 |
Pod | * | v1 |
Secret | * | v1 |
Service | * | v1 |
ServiceAccount | * | v1 |
| All resources | * | apps |
HelmRepository | get, list, watch, create, update, patch, delete | source.toolkit.fluxcd.io |
OCIRepository | get, list, watch, create, update, patch, delete | source.toolkit.fluxcd.io |
AIWorkload | * | spectrocloud.com/v1alpha1 |
Compute | * | spectrocloud.com/v1alpha1 |
ComputeConfig | * | spectrocloud.com/v1alpha1 |
ComputePool | * | spectrocloud.com/v1alpha1 |
ComputePoolEvaluation | * | spectrocloud.com/v1alpha1 |
Project | get, list, patch, watch, update, delete | spectrocloud.com/v1alpha1 |
ScalingPolicy | * | spectrocloud.com/v1alpha1 |
Settings | * | spectrocloud.com/v1alpha1 |
ComponentDefinition | * | spectrocloud.com/v1beta1 |
DefinitionRevision | * | spectrocloud.com/v1beta1 |
Environment | * | spectrocloud.com/v1beta1 |
PolicyDefinition | * | spectrocloud.com/v1beta1 |
ProfileBundle | * | spectrocloud.com/v1beta1 |
TraitDefinition | * | spectrocloud.com/v1beta1 |
VariableSet | * | spectrocloud.com/v1beta1 |
Workload | * | spectrocloud.com/v1beta1 |
WorkloadDeployment | * | spectrocloud.com/v1beta1 |
WorkloadProfile | * | spectrocloud.com/v1beta1 |
System Roles
In the system namespace (mural-system), PaletteAI creates three roles:
| Role | Purpose |
|---|---|
| Viewer | Read-only access to system definitions |
| Editor | Read-only access to system definitions |
| Admin | Read-only access to system definitions |
All three system roles share the same read-only permissions. For each Project created, role bindings are created in the mural-system namespace to grant Project users access to system-level definitions. These role bindings map Project roles to pre-existing system roles, allowing users to access system-level definitions in addition to Project-level definitions.
Each role binding is named <project-name>-mural-project-<viewer|editor|admin> and binds the Project's OIDC groups to the corresponding system role in the mural-system namespace.
The following permissions are applied to the mural-system namespace only.
| Resources | Permissions | API |
|---|---|---|
ConfigMap | get, list, watch | v1 |
ScalingPolicy | get, list, watch | spectrocloud.com/v1alpha1 |
ComponentDefinition | get, list, watch | spectrocloud.com/v1beta1 |
DefinitionRevision | get, list, watch | spectrocloud.com/v1beta1 |
PolicyDefinition | get, list, watch | spectrocloud.com/v1beta1 |
ProfileBundle | get, list, watch | spectrocloud.com/v1beta1 |
TraitDefinition | get, list, watch | spectrocloud.com/v1beta1 |
WorkloadDeployment | get, list, watch | spectrocloud.com/v1beta1 |
WorkloadProfile | get, list, watch | spectrocloud.com/v1beta1 |
The ConfigMap permissions are resource-specific. They only grant access to the mural-feature-flags and branding ConfigMaps in the system namespace.