# Kubernetes Permissions The Pipekit Helm Chart will create two ServiceAccounts in the namespace you install Pipekit into. These ServiceAccounts are used to control the permissions of the various components of Pipekit. ## pipekit The primary ServiceAccount is called `pipekit` by default. This can be changed by setting `global.serviceAccount.name` in the Helm Chart values. This ServiceAccount is used by the Pipekit services to interact with the Kubernetes API. This ServiceAccount is given no extra permissions by default because it does not require them. ## pipekit-job A secondary ServiceAccount is created, called `pipekit-job` by default. The `pipekit` element of the name can be changed by setting `global.serviceAccount.name` in the Helm Chart values. This ServiceAccount is used by the pipekit-init kubernetes job that sets up and rotates various passwords used by the Pipekit services. This ServiceAccount is given the following permissions: ```yaml # Manage the creation of Kubernetes Secrets to store the various passwords created by the pipekit-init Kubernetes Job. - apiGroups: - "" resources: - secrets verbs: - get - patch - create # When the pipekit-init job is run, it will create a new secret to store the various passwords. This secret is then mounted into the various Pipekit services as a volume. This permission is required to allow the pipekit-init job to restart the `id` and `users` services after the secret has been created or changed so that we can ensure the new passwords are used by those services - apiGroups: - "apps" resources: - deployments verbs: - get - patch ``` ## Pipekit-Agent The Pipekit-Agent is a separate component that is used to interact with your Argo installations. The permissions for this component are documented in the [Pipekit-Agent documentation](/pipekit-agent/helm-chart.md#pipekit-agent-cluster-permissions). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.pipekit.io/self-hosting-pipekit/kubernetes-permissions.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.