[Yandex Cloud documentation](../../index.md) > [Yandex Managed Service for Kubernetes](../index.md) > Access management

# Access management in Managed Service for Kubernetes

In this section, you will learn about the following:
* [Resources you can assign a role for](#resources).
* [Roles this service has](#roles-list).
* [Roles required for managing Managed Service for Kubernetes](#required-roles).
* [Roles required for the Managed Service for Kubernetes cluster service accounts](#sa-annotation).
* [Roles required to use Managed Service for Kubernetes via the Yandex Cloud management console](#ui-annotation).

## Access management {#about-access-control}

[Yandex Identity and Access Management](../../iam/index.md) checks all operations in Yandex Cloud. If an entity does not have required permissions, IAM returns an error.


To grant permissions for a resource, [assign](../../iam/operations/roles/grant.md) the relevant resource roles to an entity performing operations. You can assign roles to a [Yandex account](../../iam/concepts/users/accounts.md#passport), [service account](../../iam/concepts/users/service-accounts.md), [local user](../../iam/concepts/users/accounts.md#local), [federated user](../../iam/concepts/federations.md), [user group](../../organization/operations/manage-groups.md), [system group](../../iam/concepts/access-control/system-group.md), or [public group](../../iam/concepts/access-control/public-group.md). For more information, see [How access management works in Yandex Cloud](../../iam/concepts/access-control/index.md).

To assign a role for a resource, you need the `k8s.admin` role or one of the following roles for that resource:

* `admin`
* `resource-manager.admin`
* `organization-manager.admin`
* `resource-manager.clouds.owner`
* `organization-manager.organizations.owner`

## Resources supporting role assignment {#resources}

You can assign a role to an [organization](../../organization/concepts/organization.md), [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud), or [folder](../../resource-manager/concepts/resources-hierarchy.md#folder). The roles assigned to organizations, clouds, and folders also apply to their nested resources.

Also, you can assign [roles required to access the Kubernetes API](#k8s-api) to a separate cluster via the [Yandex Cloud CLI](../../cli/cli-ref/managed-kubernetes/cli-ref/cluster/add-access-binding.md), [Terraform](../../terraform/resources/kubernetes_cluster_iam_binding.md), or [API](../api-ref/authentication.md). For more information, see [Managing Managed Service for Kubernetes cluster access](../operations/kubernetes-cluster/kubernetes-cluster-access.md).

## Roles available in the service {#roles-list}

The chart below shows service’s roles and their permission inheritance. For example, `editor` inherits all `viewer` permissions. You can find role descriptions below the chart.

```mermaid
flowchart BT
    k8s.cluster-api.editor ~~~ k8s.cluster-api.admin
    k8s.cluster-api.editor ~~~ k8s.cluster-api.cluster-admin
    k8s.cluster-api.viewer ~~~ k8s.cluster-api.editor
    k8s.editor --> k8s.admin
    k8s.viewer --> k8s.editor
    k8s.tunnelClusters.agent --> k8s.clusters.agent
    k8s.viewer --> k8s.tunnelClusters.agent
```

### Roles required to access the Kubernetes API {#k8s-api}

The following [roles](../../iam/concepts/access-control/roles.md) give the permission to manage [Managed Service for Kubernetes cluster](../concepts/index.md#kubernetes-cluster) resources via the Kubernetes API. Roles of the Kubernetes API employ the [role-based access control (RBAC) model](https://kubernetes.io/docs/reference/access-authn-authz/rbac/). To manage a Managed Service for Kubernetes cluster, combine these roles with [roles for the Yandex Cloud API](#yc-api). Learn more about roles in the Kubernetes RBAC in [this Kubernetes guide](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles).

To view permissions for Managed Service for Kubernetes cluster resources available for a specific role, run this command:

```bash
kubectl describe clusterrole <role_in_Kubernetes_RBAC>
```

#### k8s.cluster-api.viewer {#k8s-cluster-api-viewer}

Users with the `k8s.cluster-api.viewer` role get the `yc:viewer` group and the `view` role in Kubernetes RBAC for all namespaces in a cluster.

#### k8s.cluster-api.editor {#k8s-cluster-api-editor}

Users with the `k8s.cluster-api.editor` role get the `yc:editor` group and the `edit` role in Kubernetes RBAC for all namespaces in a cluster.

#### k8s.cluster-api.admin {#k8s-cluster-api-admin}

Users with the `k8s.cluster-api.admin` role get the `yc:k8s-core-admin` group and the `admin` role in Kubernetes RBAC.

#### k8s.cluster-api.cluster-admin {#k8s-cluster-api-cluster-admin}

Users with the `k8s.cluster-api.cluster-admin` role get the `yc:admin` group and the `cluster-admin` role in Kubernetes RBAC.

### Managed Service for Kubernetes roles {#yc-api}

The roles described below allow you to manage Managed Service for Kubernetes clusters and [node groups](../concepts/index.md#node-group) without public access via the Yandex Cloud API. To manage Managed Service for Kubernetes cluster resources, combine these roles with [roles for the Kubernetes API](#k8s-api). When creating a Managed Service for Kubernetes cluster, the roles of its service account are verified.

To manage a Managed Service for Kubernetes cluster and a node group without public access, you need the `k8s.clusters.agent` role.

To manage a Managed Service for Kubernetes cluster and a node group with public access, you need the following roles:
* `k8s.clusters.agent`
* `vpc.publicAdmin`

To manage a Managed Service for Kubernetes cluster with a cloud network from a different folder, you will additionally need the following roles in this folder:
* [vpc.privateAdmin](../../vpc/security/index.md#vpc-private-admin)
* [vpc.user](../../vpc/security/index.md#vpc-user)
* [vpc.bridgeAdmin](../../vpc/security/index.md#vpc-bridge-admin)

To manage a Managed Service for Kubernetes cluster with [tunnel mode](../concepts/network-policy.md#cilium), you only need the `k8s.tunnelClusters.agent` role.

#### k8s.viewer {#k8s-viewer}

The `k8s.viewer` role enables viewing info about Kubernetes clusters and node groups.

Users with this role can:
* View the list of [Kubernetes clusters](../concepts/index.md#kubernetes-cluster) as well as info on them, on settings defining their interaction with Cloud Marketplace, and on [access permissions](../../iam/concepts/access-control/index.md) granted for them.
* View the list of Kubernetes clusters' [node groups](../concepts/index.md#node-group) and info on such node groups.
* View info on Cloud Marketplace applications and access permissions granted for them.
* View resource usage stats and info on the [quotas](../concepts/limits.md#managed-k8s-quotas) for Managed Service for Kubernetes.
* View info on the relevant [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../../resource-manager/concepts/resources-hierarchy.md#folder).

#### k8s.editor {#k8s-editor}

The `k8s.editor` role enables managing Kubernetes clusters and node groups.

Users with this role can:
* View the list of [Kubernetes clusters](../concepts/index.md#kubernetes-cluster) as well as info on them and on [access permissions](../../iam/concepts/access-control/index.md) granted for them.
* Create, modify, start, stop and delete Kubernetes clusters.
* View the list of Kubernetes clusters' [node groups](../concepts/index.md#node-group) and info on such node groups.
* Create, modify, and delete Kubernetes clusters' node groups.
* View and edit settings defining interaction between Kubernetes clusters and Cloud Marketplace.
* View info on Cloud Marketplace applications and access permissions granted for them, as well as install, update, and delete such applications.
* View resource usage stats and info on the [quotas](../concepts/limits.md#managed-k8s-quotas) for Managed Service for Kubernetes.
* View info on the relevant [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `k8s.viewer` permissions.

#### k8s.admin {#k8s-admin}

The `k8s.admin` role enables managing Kubernetes clusters and node groups as well as access to Kubernetes clusters.

Users with this role can:
* View the list of [Kubernetes clusters](../concepts/index.md#kubernetes-cluster) and info on them, as well as create, modify, start, stop, and delete Kubernetes clusters.
* View info on [access permissions](../../iam/concepts/access-control/index.md) granted for Kubernetes clusters and modify such permissions.
* View the list of Kubernetes clusters' [node groups](../concepts/index.md#node-group) and info on such node groups, as well as create, modify, and delete Kubernetes clusters' node groups.
* View and edit settings defining interaction between Kubernetes clusters and Cloud Marketplace.
* View info on Cloud Marketplace applications, as well as install, update, and delete such applications.
* View info on access permissions granted for Cloud Marketplace applications and modify such permissions.
* View resource usage stats and info on the [quotas](../concepts/limits.md#managed-k8s-quotas) for Managed Service for Kubernetes.
* View info on the relevant [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud) and [folder](../../resource-manager/concepts/resources-hierarchy.md#folder).

This role includes the `k8s.editor` permissions.

#### k8s.tunnelClusters.agent {#k8s-tunnelclusters-agent}

`k8s.tunnelClusters.agent` is a special role for creating [Kubernetes clusters](../concepts/index.md#kubernetes-cluster) with tunnel mode. It enables you to create [node groups](../concepts/index.md#node-group), disks, and internal load balancers. You can use previously created Yandex Key Management Service [keys](../../kms/concepts/key.md) to encrypt and decrypt secrets.

This role includes the `compute.admin`, `iam.serviceAccounts.user`, `k8s.viewer`, `kms.keys.encrypterDecrypter`, and `load-balancer.privateAdmin` permissions.

#### k8s.clusters.agent {#k8s-clusters-agent}

`k8s.clusters.agent` is a special role for the [Kubernetes cluster](../concepts/index.md#kubernetes-cluster) service account. It enables you to create [node groups](../concepts/index.md#node-group), disks, and internal load balancers. You can use previously created Yandex Key Management Service [keys](../../kms/concepts/key.md) to encrypt and decrypt secrets and connect previously created [security groups](../../vpc/concepts/security-groups.md). When combined with the `load-balancer.admin` [role](../../network-load-balancer/security/index.md#load-balancer-admin), it enables you to create a [network load balancer](../../network-load-balancer/concepts/index.md) with a public IP address.

This role includes the `k8s.tunnelClusters.agent` and `vpc.privateAdmin` permissions.

### Primitive roles {#primitive-roles}

#### viewer {#viewer}

The `viewer` role grants the permissions to read the info on any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md).

This role includes the `auditor` permissions.

Unlike `auditor`, the `viewer` role provides access to [service](../../overview/concepts/services.md) data in read mode.

#### editor {#editor}

The `editor` role provides permissions to manage any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md), except for assigning roles to other users, transferring [organization](../../organization/concepts/organization.md) ownership, removing an organization, and deleting Key Management Service [encryption keys](../../kms/concepts/index.md).

For instance, users with this role can create, modify, and delete resources.

This role includes the `viewer` permissions.

#### admin {#admin}

The `admin` role enables assigning any roles, except for `resource-manager.clouds.owner` and `organization-manager.organizations.owner`, and provides permissions to manage any Yandex Cloud [resources](../../resource-manager/concepts/resources-hierarchy.md) (except for transferring [organization](../../organization/concepts/organization.md) ownership and removing an organization).

Prior to assigning the `admin` role for an organization, [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud), or [billing account](../../billing/concepts/billing-account.md), make sure to check out the information on protecting [privileged accounts](../../security/standard/all.md#privileged-users).

This role includes the `editor` permissions.

{% note info %}

With the Kubernetes RBAC, you can provide users with granular access to cluster namespaces.

{% cut "Example" %}

1. In your cluster, create a role to manage all resources in the specified namespace:

    ```yaml
    apiVersion: rbac.authorization.k8s.io/v1
    kind: Role
    metadata:
      namespace: <namespace>
      name: <role_name>
    rules:
    - apiGroups: [""]
      resources: ["*"]
      verbs: ["*"]
    ```

1. Bind this role to a user account:

    ```yaml
    apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
      name: iam-user
      namespace: <namespace>
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: Role
      name: <role_name>
    subjects:
    - kind: User
      name: <account_ID>
    ```

To learn more about getting the account ID, see [Getting user information](../../organization/operations/users-get.md).

Check if you can create resources in the cluster. In other namespaces, you will have no permissions to create or edit resources.

{% endcut %}

{% endnote %}

## Roles required for creating a Managed Service for Kubernetes cluster {#required-roles}

When creating a Managed Service for Kubernetes cluster and a node group, make sure the [account](../../iam/concepts/users/accounts.md) used for this purpose has these [roles](../../iam/concepts/access-control/roles.md):
* [k8s.editor](#k8s-editor) or higher.
* [iam.serviceAccounts.user](../../iam/security/index.md#iam-serviceAccounts-user).

To create a Managed Service for Kubernetes cluster and node group with public access, you will also need the [vpc.publicAdmin](../../vpc/security/index.md#vpc-public-admin) role.

## Managed Service for Kubernetes cluster service accounts {#sa-annotation}

When creating a cluster in Managed Service for Kubernetes, specify two [service accounts](../../iam/concepts/users/service-accounts.md):
* **Cluster service account**: On behalf of this service account, Managed Service for Kubernetes manages cluster nodes, [subnets](../../vpc/concepts/network.md#subnet) for [pods](../concepts/index.md#pod) and [services](../concepts/index.md#service), [disks](../../compute/concepts/disk.md), [load balancers](../../network-load-balancer/concepts/index.md), encrypts and decrypts [secrets](../../lockbox/concepts/secret.md). The minimum recommended role for such an account is `k8s.clusters.agent`.
* **Node group service account**: Under this service account, Managed Service for Kubernetes cluster nodes get authenticated in [Yandex Container Registry](../../container-registry/concepts/index.md) or [Yandex Cloud Registry](../../cloud-registry/concepts/index.md). For other container registries, you do not need to assign roles to the service account.
  
  To enable nodes to pull Docker images from a registry:

  * For Yandex Container Registry, assign the [container-registry.images.puller](../../container-registry/security/index.md#container-registry-images-puller) role to the service account.
  * For Yandex Cloud Registry, assign the [cloud-registry.artifacts.puller](../../container-registry/security/index.md#container-registry-images-puller) role to the service account.

To manage a Managed Service for Kubernetes cluster and node groups with public access, you will also need the `vpc.publicAdmin` role.

If you use a cloud network from a different folder in a Managed Service for Kubernetes cluster, the cluster service account will additionally need the following roles in this folder:
* [vpc.privateAdmin](../../vpc/security/index.md#vpc-private-admin)
* [vpc.user](../../vpc/security/index.md#vpc-user)
* [vpc.bridgeAdmin](../../vpc/security/index.md#vpc-bridge-admin)

## Accessing the Managed Service for Kubernetes management console {#ui-annotation}

`k8s.viewer` is the minimum required role to access Managed Service for Kubernetes via the Yandex Cloud [management console](https://console.yandex.cloud). The role only provides access to basic information about [node groups](../operations/node-group/node-group-list.md#get). 

The combination of the `k8s.viewer` and `k8s.clusters.agent` roles allows you to view all information about node groups, but not about individual cluster nodes.

The combination of the `k8s.cluster-api.cluster-admin`, `k8s.clusters.agent`, and `monitoring.viewer` roles allows you to view detailed information about node groups and individual [cluster nodes](../operations/node-group/node-group-list.md#get-node). All tabs become available for each node in the management console, including the **Monitoring** tab.

To view cluster resources [in the Ingresses section](../operations/kubernetes-console/network.md), you need the `alb.auditor` [role](../../application-load-balancer/security/index.md#alb-auditor) or higher.

To provide more granular access to resources, you can:
* Configure additional permissions in the Kubernetes RBAC for the appropriate users.
* Use [role aggregation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles) to expand the `view` and `edit` roles in the Kubernetes RBAC. For example, you can allow all users with the `view` role in the Kubernetes API (including users with the `k8s.cluster-api.viewer` cloud role) to view information about nodes by adding the following role to the Managed Service for Kubernetes cluster:

  ```yaml
  apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRole
  metadata:
    name: view-extensions
    labels:
      rbac.authorization.k8s.io/aggregate-to-view: "true"
  rules:
  - apiGroups: [""]
    resources: ["nodes"]
    verbs: ["get", "list", "watch"]
  ```

## Workload identity federations Yandex Identity and Access Management

Managed Service for Kubernetes supports integration with Identity and Access Management _workload identity federations_.

[Workload identity federations](../../iam/concepts/workload-identity.md) allow you to configure a link between external systems and Yandex Cloud via the [OpenID Connect](https://openid.net/developers/how-connect-works/) (OIDC) protocol. This allows external systems to perform actions with Yandex Cloud resources under IAM [service accounts](../../iam/concepts/users/service-accounts.md) without using [authorized keys](../../iam/concepts/authorization/key.md). This is a more secure method that minimizes the risk of credential leakage and the possibility of unauthorized access.

When this option is enabled, Managed Service for Kubernetes automatically creates an OIDC provider for the specific cluster and provides the following parameters for integration with workload identity federations:
* `Issuer URL`.
* `JWKS key set URL`.

![image](../../_assets/managed-kubernetes/mk8s-wlif.svg)

For example, you can configure [Accessing the Yandex Cloud API from a Managed Service for Kubernetes cluster using a workload identity federation in Identity and Access Management](../tutorials/wlif-managed-k8s-integration.md).