dbarreda
commented
1 year ago Updated the description adding additional context.
Open dbarreda opened 1 year ago
dbarreda
commented
1 year ago Updated the description adding additional context.
nikmitra
commented
1 year ago Would like to add that we need this functionality for users that run in production where we restrict any harmful queries being run agains the cluster and only scoped to the particular VSM which the user/org maintain or own
Describe the solution you'd like limitAggregateUsage currently won't work if credentials do not have cluster admin permissions. It does makes sense that it needs cluster permissions but cluster admin seems like a lot of permissions when the SVM is specifically done for this.
Maybe some cluster-viewer role?
Describe alternatives you've considered None with out current practices. I guess assigning an aggregate to a certain SVM would limit impacting other aggregates, however it could still impact itself if it doesn't have capacity awareness.
Additional context
cluster-admin is required for using the limitAggregateUsage
if k8s cluster credentials get compromised it could be used with malicious intent
Would be desired to have a limited user (vsadmin) that can have access to read the aggregate limit to avoid aggregate over committing.
Priority: Cannot go production w/ Trident as I cannot use cluster-admin for it. This a security risk.