Is your feature request related to a problem? Please describe.
Currently the demo scripts skip the creation of a namespace-scoped RoleBinding whenever
the scripts are being run using a Conjur OSS deployed via Helm chart (i.e. when CONJUR_OSS_HELM_DEPLOYED
environment variable is set to true). The reason that the creation of RoleBinding can be skipped is that
the Conjur OSS Helm charts currently include the creation of a ClusterRoleBinding that is equivalent in
every way except that the ClusterRoleBinding has cluster-wide scope (can be used in all namespaces).
A better approach would be to use only namespace-scoped RoleBindings (rather than ClusterRoleBindings)
for these scripts because that would be exercising the principle of least privilege (permissions only apply to
namespaces that explicitly include a RoleBinding).
To do this, it would involve:
Modifying these demo scripts to create a RoleBinding for the case of Conjur OSS that is deployed via Helm chart.
After that, modify the Conjur OSS Helm chart to eliminate the creation of a ClusterRoleBinding.
Describe the solution you would like
For this repo, modify the demo scripts to create a RoleBinding for the case of Conjur OSS that is deployed via Helm chart.
After that, modify the Conjur OSS Helm chart repo to eliminate the creation of a ClusterRoleBinding.
Is your feature request related to a problem? Please describe.
Currently the demo scripts skip the creation of a namespace-scoped RoleBinding whenever the scripts are being run using a Conjur OSS deployed via Helm chart (i.e. when
CONJUR_OSS_HELM_DEPLOYEDenvironment variable is set totrue). The reason that the creation of RoleBinding can be skipped is that the Conjur OSS Helm charts currently include the creation of a ClusterRoleBinding that is equivalent in every way except that the ClusterRoleBinding has cluster-wide scope (can be used in all namespaces).A better approach would be to use only namespace-scoped RoleBindings (rather than ClusterRoleBindings) for these scripts because that would be exercising the principle of least privilege (permissions only apply to namespaces that explicitly include a RoleBinding).
To do this, it would involve:
Describe the solution you would like
Describe alternatives you have considered
Additional context