Open synthe102 opened 1 year ago
As already mentioned on slack, we'd prefer not to go this route as:
having access to the
DataPlane
resource is closer to a cluster-admin privilege which has both security implications as well as general implications for cluster administrators trying to manage security of the cluster
https://github.com/Kong/gateway-operator/pull/747#pullrequestreview-1407551727
Also touching on our discussion last week or so on slack: @synthe102 if you don't mind please prepare a list of known, required policy rules that we can assemble and conditionally attach to a managed ClusterRole
(similarly as Kong/gateway-operator-archive#747 is doing but without the possibility to add arbitrary permissions).
This issue isn't a priority anymore for logging, so it's out of scope for phase 0. It will eventually be useful when the question of custom sidecars in added to the CGW project.
Problem Statement
When using a sidecar container that requires to perform actions against the k8s API, the sidecar is limited by the
DataPlane
service account's permissions. Example: when using a sidecar for log collection (like Vector), the sidecar expects to be able to list a handful of k8s ressources.Acceptance Criteria
rules