search

Kong / gateway-operator

Kubernetes Operator for Kong Gateways
Apache License 2.0
49 stars 11 forks source link

Allow customisation of the permissions linked to the `DataPlane` service account #181

Open synthe102 opened 1 year ago

synthe102 commented 1 year ago

Problem Statement

When using a sidecar container that requires to perform actions against the k8s API, the sidecar is limited by the DataPlane service account's permissions. Example: when using a sidecar for log collection (like Vector), the sidecar expects to be able to list a handful of k8s ressources.

Acceptance Criteria

pmalek commented 1 year ago

As already mentioned on slack, we'd prefer not to go this route as:

having access to the DataPlane resource is closer to a cluster-admin privilege which has both security implications as well as general implications for cluster administrators trying to manage security of the cluster

https://github.com/Kong/gateway-operator/pull/747#pullrequestreview-1407551727

Also touching on our discussion last week or so on slack: @synthe102 if you don't mind please prepare a list of known, required policy rules that we can assemble and conditionally attach to a managed ClusterRole (similarly as Kong/gateway-operator-archive#747 is doing but without the possibility to add arbitrary permissions).

synthe102 commented 1 year ago

This issue isn't a priority anymore for logging, so it's out of scope for phase 0. It will eventually be useful when the question of custom sidecars in added to the CGW project.