What are the minimum RBAC permissions required to install Replicated Application Manager?

Supporting your customers
1

This role describes the minimum RBAC requirements to use the Replicated Application Manager to install your application

Note: Some cluster implementations, such as OpenShift, may involve additional resources from other apiGroups:

apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    kots.io/backup: velero
    kots.io/kotsadm: "true"
  name: kotsadm
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  labels:
    kots.io/backup: velero
    kots.io/kotsadm: "true"
  name: kotsadm-role
rules:
  - apiGroups: [""]
    resources: ["configmaps", "persistentvolumeclaims", "pods", "secrets", "services", "limitranges"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: ["apps"]
    resources: ["daemonsets", "deployments", "statefulsets"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: ["batch"]
    resources: ["jobs", "cronjobs"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: ["networking.k8s.io", "extensions"]
    resources: ["ingresses"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: [""]
    resources: ["namespaces", "endpoints", "serviceaccounts"]
    verbs: ["get"]
  - apiGroups: ["authorization.k8s.io"]
    resources: ["selfsubjectaccessreviews", "selfsubjectrulesreviews"]
    verbs: ["create"]
  - apiGroups: ["rbac.authorization.k8s.io"]
    resources: ["roles", "rolebindings"]
    verbs: ["get"]
  - apiGroups: [""]
    resources: ["pods/log", "pods/exec"]
    verbs: ["get", "list", "watch", "create"]
  - apiGroups: ["batch"]
    resources: ["jobs/status"]
    verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    kots.io/backup: velero
    kots.io/kotsadm: "true"
  name: kotsadm-rolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: kotsadm-role
subjects:
- kind: ServiceAccount
  name: kotsadm

You can have your customer create this role and then pass the --ensure-rbac=false and --skip-rbac-check flags to the kots install command:

kubectl kots install <app-slug> [options...] --ensure-rbac=false --skip-rbac-check