Closed ebensom closed 4 months ago
Hi @ebensom , operator does need delete permission to performing roll update for some service, check https://github.com/VictoriaMetrics/operator/pull/907#discussion_r1535391190. And the role in examples should all be fixed in https://github.com/VictoriaMetrics/operator/pull/907.
It seems that the
rbac:groups="",resources=pods,verbs=*
permission is excessive and not being used by vm-operator.From K8S security point of view, it is advised to remove this permission if not needed, because a compromised vm-operator pod's SA has permission to create pods and exec into pods in all namespaces.