Skip to content


Rio can be configured and used in a multi-tenant environment while providing the best practices for security.

This section requires basic knowledge of Kubernetes RBAC. To learn more about RBAC, go here.

By default Rio creates four roles rio-admin, rio-privileged, rio-readonly, rio-standard. Detailed permissions can be found in here.

To create a binding from one of the roles to your user and group in default namespace:

# This role binding allows "jane" to have rio admin access in the "default" namespace.
kind: RoleBinding
  name: rio-admin
  namespace: default
- kind: User
  name: jane # Name is case sensitive
  kind: ClusterRole 
  name: rio-admin

Note: Pre-defined roles are experimental and subject to change.

Container security

Rio by default restricts users without admin permissions from deploying containers with insecure parameters. This is done by implementing a validatingMutationWebhook.

The following fields are protected by default:

  • Enable and disable sidecar injection
  • Privileged containers
  • Hostpath
  • Hostport
  • HostNetworking

To enable a user to have these permissions, the following verbs must be granted on a role that is bound with the user:

  • rio-servicemesh
  • rio-privileged
  • rio-hostpath
  • rio-hostport
  • rio-hostnetwork

For example, to create a role with permission to launch privileged containers:

kind: Role
  namespace: default
  name: run-privileged
- apiGroups: [""]
  resources: ["services"]
  verbs: ["create", "update", "delete", "rio-privileged"]

Then follow the previous example to bind the user to this role.