default service account has too many privileges

PaddleFlow / paddle-operator

Elastic Deep Learning Training based on Kubernetes by Leveraging EDL and Volcano

Apache License 2.0

31 stars 15 forks source link

default service account has too many privileges #71

Closed Bobgy closed 3 years ago

Bobgy commented 3 years ago

https://github.com/PaddleFlow/paddle-operator/blob/ec66c6a90762b56b827ec940b882fd9b006948d2/charts/paddle-operator/templates/controller.yaml#L123-L149

I'm doing a quick code review, it seems that all the roles are bounded to the default service account. I believe it's usually better practice to clearly separate different roles in the system and make each service account only have the minimal privilege.

This is a non blocking comment.

Bobgy commented 3 years ago

/cc @tizhou86

Bobgy commented 3 years ago

Fixed by #72