Kubernetes resource requirements

Custom Resource Definitions (CRDs)

The cluster level permissions required by D3E are significantly reduced from the open source Dapr project due to the ability to specify application namespaces. However, the distribution contains five Namespaced Custom Resource Definitions (CRDs) and thus only accessible to Dapr applications in the same namespace. The CRDs are identical to open source Dapr and are listed below:

• components.dapr.io
• configurations.dapr.io
• httpendpoints.dapr.io
• resiliencies.dapr.io
• subscriptions.dapr.io: D3E does not support subscription resources with API version v1alpha1, so ensure your Subscription objects conform to the v2alpha1 specification.

As a best practice, Dapr resource specifications should always be scoped to only specific applications within the namespace that require access. Reference documentation here.

For example, to only allow access to a Redis state Component from app1 and app2 in the production namespace, configure the following scopes.

apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
  name: statestore
  namespace: production
spec:
  type: state.redis
  version: v1
  metadata:
  - name: redisHost
    value: redis-master:6379
scopes:
- app1
- app2

Dapr ClusterRoles

The cluster level permissions required by D3E are significantly reduced from the open source Dapr project due to the ability to specify application namespaces. However, the following ClusterRoles are still required for the distribution to function in most cases. To remove all required Dapr ClusterRoles, read Option 4: D3E without ClusterRoles using the Diagrid Dapr Injector Helm chart.

1. ClusterRole: {{.Release.Namespace}}-dapr-injector-mutating-patcher

• Handles trust anchor certificate updates.
• Manages sidecar injection configuration.
• When deployed with D3E namespace isolation, the Injector ClusterRole is patched with the namespace where sidecars can be injected.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
 annotations:
   meta.helm.sh/release-name: dapr
   meta.helm.sh/release-namespace: dapr-system
 creationTimestamp: "2024-09-11T14:26:42Z"
 labels:
   app.kubernetes.io/component: rbac
   app.kubernetes.io/managed-by: Helm
   app.kubernetes.io/name: dapr
   app.kubernetes.io/part-of: dapr
   app.kubernetes.io/version: v1.14.4-diagrid-2
 name: {{.Release.Namespace}}-dapr-injector-mutating-patcher
 resourceVersion: "3428506"
 uid: f93c334a-9c9a-461b-a4b8-7fd1f04c90a5
rules:
- apiGroups:
 - admissionregistration.k8s.io
 resourceNames:
 - {{.Release.Namespace}}-dapr-sidecar-injector
 resources:
 - mutatingwebhookconfigurations
 verbs:
 - patch

2. ClusterRole: {{.Release.Namespace}}-dapr-sentry-token-reviewer

• Grants permission to authenticate Kubernetes service account tokens via the TokenReview API.
• Enabled when .Values.global.rbac.createTokenReviewerRole is set to true. Otherwise, the standard system Kubernetes ClusterRole system:auth-delegator is used with its associated ClusterRoleBinding.
• Requires a dedicated ClusterRoleBinding to bind this role to the Dapr Sentry service account.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    meta.helm.sh/release-name: dapr
    meta.helm.sh/release-namespace: dapr-system
  creationTimestamp: "2025-06-26T18:14:22Z"
  labels:
    app.kubernetes.io/component: rbac
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: dapr
    app.kubernetes.io/part-of: dapr
    app.kubernetes.io/version: 1.15.5
  name: dapr-sentry-token-reviewer
  resourceVersion: "8728304"
  uid: 59fce98e-339a-48f4-b429-677dad4bc8f6
rules:
- apiGroups:
  - authentication.k8s.io
  resources:
  - tokenreviews
  verbs:
  - create

3. ClusterRole [Dapr 1.15+]: {{.Release.Namespace}}-dapr-scheduler

• A cleanup job that watches the Dapr application namespaces so that if/when they get deleted, the data from scheduler service will be cleaned up accordingly.
• When the control plane scheduler service isn't deployed (.global.scheduler.enabled is set to false), the ClusterRole is not created.

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: dapr-scheduler
  labels:
   app.kubernetes.io/component: rbac
   app.kubernetes.io/managed-by: Helm
   app.kubernetes.io/name: dapr
   app.kubernetes.io/part-of: dapr
   app.kubernetes.io/version: v1.15.5
rules:
  - apiGroups: [""]
    resources: ["namespaces"]
    verbs: ["get", "list", "watch"]