Closed roehrich-hpe closed 1 year ago
Brian Behlendorf 22 hours ago Have you guys considered creating a default ServiceAccount for the WLM to use? It seems like this would fit in nicely.
Dean Roehrich 1 hour ago Brian, help me orient myself on this. Today, Flux is using the fully-privileged kubeconfig, is that right? And you'd like to have Flux use something with finer-grained privs? New
Brian Behlendorf 4 minutes ago Exactly. Today Flux is using the admin kubeconfig, something which is restricted only the needed permissions seems prudent. Along the same lines as what was done for the dws-operator-controller-manager, nnf-dm-controller-manager, and nnf-fencing-agent ServiceAccounts.
The WLM role is now merged into the DWS master branch here: https://github.com/HewlettPackard/dws/blob/master/config/rbac/workload_manager_role.yaml
The documentation for creating a "flux" user and binding it to that role is in the docs main branch here: https://nearnodeflash.github.io/dev/guides/rbac-for-users/readme/
Give the WLM the privileges it needs to manipulate and run workflows and the related the k8s resources.
Today, Flux is using the fully-privileged kubeconfig. It doesn't need all of that privilege.