Kubernetes Resources & Permissions
D3E (Diagrid Dapr Distribution for Enterprise) significantly reduces cluster-level permissions compared to open source Dapr through its namespace isolation capabilities. This page outlines the Kubernetes resources and permissions D3E requires and how they differ from standard Dapr.
Key features
- Reduced cluster permissions: Namespace-scoped operations minimize security risk
- Namespaced CRDs: Custom resources limited to application namespaces or completely free of CRDs
- Multi-tenancy ready: Enhanced isolation for enterprise environments
- Optional ClusterRoles: Flexible deployment options including a method only using Kubernetes Roles
Custom Resource Definitions (CRDs)
D3E includes five namespaced Custom Resource Definitions, making them accessible only to Dapr applications within the same namespace. These CRDs are identical to open source Dapr:
| CRD | Purpose | Documentation |
|---|---|---|
components.dapr.io | Component specifications | Component Schema |
configurations.dapr.io | Dapr configuration | Configuration Schema |
httpendpoints.dapr.io | HTTP endpoint definitions | HTTP Endpoints Schema |
resiliencies.dapr.io | Resiliency policies | Resiliency Schema |
subscriptions.dapr.io | Pub/sub subscriptions | Subscription Schema |
D3E does not support subscription resources with API version v1alpha1. Ensure your Subscription objects conform to the v2alpha1 specification.
Component scoping
As a best practice, always scope Dapr resources to only the specific applications that require access. This follows the principle of least privilege and enhances security in multi-tenant environments.
Example: Scoped Redis State Store
The following example restricts access to a Redis state store to only app1 and app2 in the production namespace:
apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
name: statestore
namespace: production
spec:
type: state.redis
version: v1
metadata:
- name: redisHost
value: redis-master:6379
scopes:
- app1
- app2
ClusterRoles
While D3E significantly reduces cluster-level permissions, certain ClusterRoles are required for standard operation. The specific ClusterRoles needed depend on your installation configuration option you choose.
To remove all required ClusterRoles, see Option 4: D3E without ClusterRoles using the Diagrid Dapr Injector Helm chart.
Required ClusterRoles
1. Injector Mutating Patcher — {.Release.Namespace}-dapr-injector-mutating-patcher
Purpose
- Handles trust anchor certificate updates
- Manages sidecar injection configuration
- When deployed with namespace isolation, this role is patched with the namespace where sidecars can be injected
YAML Specification
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
meta.helm.sh/release-name: dapr
meta.helm.sh/release-namespace: dapr-system
creationTimestamp: "2024-09-11T14:26:42Z"
labels:
app.kubernetes.io/component: rbac
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: dapr
app.kubernetes.io/part-of: dapr
app.kubernetes.io/version: v1.14.4-diagrid-2
name: {'{.Release.Namespace}'}-dapr-injector-mutating-patcher
resourceVersion: "3428506"
uid: f93c334a-9c9a-461b-a4b8-7fd1f04c90a5
rules:
- apiGroups:
- admissionregistration.k8s.io
resourceNames:
- {'{.Release.Namespace}'}-dapr-sidecar-injector
resources:
- mutatingwebhookconfigurations
verbs:
- patch
2. Sentry Token Reviewer — {.Release.Namespace}-dapr-sentry-token-reviewer
Purpose
- Grants permission to authenticate Kubernetes service account tokens via the TokenReview API
- Required for Dapr's mTLS security model
Configuration
Enabled when .Values.global.rbac.createTokenReviewerRole is set to true. Otherwise, the standard Kubernetes ClusterRole system:auth-delegator is used with its associated ClusterRoleBinding.
Requirements
- Requires a dedicated
ClusterRoleBindingto bind this role to the Dapr Sentry service account
YAML Specification
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
meta.helm.sh/release-name: dapr
meta.helm.sh/release-namespace: dapr-system
creationTimestamp: "2025-06-26T18:14:22Z"
labels:
app.kubernetes.io/component: rbac
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: dapr
app.kubernetes.io/part-of: dapr
app.kubernetes.io/version: 1.15.5
name: dapr-sentry-token-reviewer
resourceVersion: "8728304"
uid: 59fce98e-339a-48f4-b429-677dad4bc8f6
rules:
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
3. Scheduler ClusterRole — {.Release.Namespace}-dapr-scheduler (Dapr 1.15+)
Purpose
- Runs a cleanup job that watches Dapr application namespaces
- Ensures scheduler service data is cleaned up when namespaces are deleted
- Maintains scheduler state consistency
Configuration
Only created when the control plane scheduler service is deployed (.global.scheduler.enabled is set to true).
YAML Specification
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: dapr-scheduler
labels:
app.kubernetes.io/component: rbac
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: dapr
app.kubernetes.io/part-of: dapr
app.kubernetes.io/version: v1.15.5
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get", "list", "watch"]