# Required access to write destination data to a container repository

To enable Tonic Structural to write destination data to a container repository, the Structural service account requires specific levels of access to Kubernetes.

The required access applies both on a Kubernetes cluster where Structural is deployed and, for Docker instances, on the [separate Kubernetes cluster that you install](/app/admin/on-premise-deployment/enable-output-to-container-artifacts/container-output-separate-kubernetes-cluster.md).

## Rolebinding with required access <a href="#container-access-rolebinding" id="container-access-rolebinding"></a>

On the Kubernetes cluster, the Structural service account must be granted a rolebinding that grants the following access to the Structural Kubernetes cluster:

```
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list", "delete", "create", "watch", "deletecollection"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["list", "delete", "create", "deletecollection"]
```

On a Kubernetes instance of Structural, you can allow Structural to create the rolebinding automatically. In the Structural Helm chart, the following setting determines whether to have Structural automatically create and grant the rolebinding. By default, the setting is `true`.

```
 rbac:
    create: true
```

If your access management method does not allow you to use this default configuration, then:

1. Change the setting to `false`.
2. Create and grant the rolebinding.

## **Additional rbac grant for a separate Kubernetes cluster** <a href="#container-access-rbac-for-remote-cluster" id="container-access-rbac-for-remote-cluster"></a>

For a separate Kubernetes cluster, the [environment setting](/app/admin/environment-variables-setting.md) `CONTAINERIZATION_MANAGE_NAMESPACE` indicates whether to allow Structural to manage the remote namespace.

If the setting is true, then you must add the following `rbac` grant to enable the Structural service account to manage namespaces.

```
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: tonic-containerization
rules:
  - apiGroups: [""]
    resources: ["namespaces"]
    verbs: ["get", "list", "create", "delete", "patch"]
  - apiGroups: [""]
    resources: ["pods", "pods/log"]
    verbs: ["get", "list", "delete", "create", "watch", "deletecollection"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["list", "delete", "create", "deletecollection"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: tonic-containerization
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: tonic-containerization
subjects:
  # depends on how authentication to the cluster is established
  - kind: User
    name: # containerization user name
    apiGroup: rbac.authorization.k8s.io
  - kind: Group
    name: # containerization group name
    apiGroup: rbac.authorization.k8s.io
  - kind: ServiceAccount
    name: # containerization service account name
    namespace: # namespace for service account in remote cluster
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.tonic.ai/app/admin/on-premise-deployment/enable-output-to-container-artifacts/kubernetes-required-containerization-access.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.