From 91a728334389e9e09cc9d59c21921c3fa88b18dc Mon Sep 17 00:00:00 2001
From: Victor Skvortsov <vds003@gmail.com>
Date: Fri, 17 Oct 2025 12:10:41 +0500
Subject: [PATCH 1/2] Document Kubernetes required permissions

---
 docs/docs/concepts/backends.md | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/docs/docs/concepts/backends.md b/docs/docs/concepts/backends.md
index 6fe5fd9d7e..1fc0a0cf72 100644
--- a/docs/docs/concepts/backends.md
+++ b/docs/docs/concepts/backends.md
@@ -1047,6 +1047,32 @@ projects:
     
     If on-demand provisioning is important, we recommend using [VM-based](#vm-based) backends as they already support auto-scaling. -->
 
+??? info "Required permissions"
+    The following Kubernetes permissions are sufficient for `dstack` to work:
+
+    ```yaml
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: ClusterRole # or Role
+    metadata:
+      name: dstack-backend
+    rules:
+    - apiGroups: [""]
+      resources: ["namespaces"]
+      verbs: ["get", "create"]
+    - apiGroups: [""]
+      resources: ["pods"]
+      verbs: ["get", "create", "delete"]
+    - apiGroups: [""]
+      resources: ["services"]
+      verbs: ["get", "create", "delete"]
+    - apiGroups: [""]
+      resources: ["nodes"]
+      verbs: ["list"]
+    ```
+    
+    Ensure you've created a ClusterRoleBinding (or RoleBinding) to grant the role
+    to the user or the service account you're using.
+
 > To learn more, see the [Kubernetes](../guides/kubernetes.md) guide.
 
 ### RunPod

From 87b31de85569a1175213c80833a91204ac21284a Mon Sep 17 00:00:00 2001
From: Victor Skvortsov <vds003@gmail.com>
Date: Fri, 17 Oct 2025 12:22:16 +0500
Subject: [PATCH 2/2] Clarify that ClusterRole is required

---
 docs/docs/concepts/backends.md | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/docs/docs/concepts/backends.md b/docs/docs/concepts/backends.md
index 1fc0a0cf72..fdbd1d5181 100644
--- a/docs/docs/concepts/backends.md
+++ b/docs/docs/concepts/backends.md
@@ -1052,7 +1052,7 @@ projects:
 
     ```yaml
     apiVersion: rbac.authorization.k8s.io/v1
-    kind: ClusterRole # or Role
+    kind: ClusterRole
     metadata:
       name: dstack-backend
     rules:
@@ -1070,8 +1070,7 @@ projects:
       verbs: ["list"]
     ```
     
-    Ensure you've created a ClusterRoleBinding (or RoleBinding) to grant the role
-    to the user or the service account you're using.
+    Ensure you've created a ClusterRoleBinding to grant the role to the user or the service account you're using.
 
 > To learn more, see the [Kubernetes](../guides/kubernetes.md) guide.