search

flomesh-io / fsm

Lightweight service mesh for Kubernetes East-West and North-South traffic management, uses ebpf for layer4 and pipy proxy for layer7 traffic management, support multi cluster network.
https://flomesh.io
Apache License 2.0
49 stars 7 forks source link

[charts] RBAC improvement #213

Open nixff opened 3 months ago

nixff commented 3 months ago

Now in charts, we enable some permissions at cluster level, like rbac.authorization.k8s.io which is unnecessary when namespacedIngress or Gateway feature disabled.

  - apiGroups: [ "rbac.authorization.k8s.io" ]
    resources: [ "roles", "rolebindings", "clusterroles", "clusterrolebindings" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]

We should target to minimize the permissions and modularized. Only set necessary permission based on the features enabled.

Moreover, clarify the permission usage in charts comment in details would be better, like some permissions for builtin resources:

  - apiGroups: ["apps"]
    resources: ["daemonsets", "deployments", "replicasets", "statefulsets"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

If we only enable flb, it seems that fsm doesn't need privileges for ds or sts?

Scope (please mark with X where applicable)

nixff commented 3 months ago 
  - apiGroups: ["admissionregistration.k8s.io"]
    resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

is delete verb needed for fsm role? or it only needed in cleanup hook for independent cleanup role?

github-actions[bot] commented 1 month ago

This issue will be closed due to a long period of inactivity. If you would like this issue to remain open then please comment or update.