nathancoleman
commented
2 months ago Hi @bksteiny ! Thanks for bringing this to our attention.
Looking back through the commit history, it appears as though the additional permissions were added in expedience during the development process and weren't narrowed back down prior to merge. I've put up a PR that addresses this issue, linked above.
Unfortunately, version 1.2.x is no longer actively supported. Is it possible for you to consume version 1.3.x or later?
bksteiny
Question
Hi there, we are planning to upgrade to consul-k8s 1.2.x from 1.1.x and noticed the permissions on the connect-injector ClusterRole now includes the ability to
create,update, anddeletenamespacesandnodesresources (among others). This change was introduced in the 1.2.0-rc commit.The ability to
create,update, anddeletenamespacesandnodesis a problem for our cluster admins and security team, and they aren't very receptive to a workaround mentioned in an older ticket, so I'm wondering if you can provide any information as to why these permission are needed on the connect-injector ClusterRole?I went through the Control access into the service mesh with Consul API gateway tutorial from start to finish twice:
ClusterRole:I was able to successfully finish it both times and didn't see any errors in the connect-injector logs. I used Helm directly instead of the consul-k8s CLI, but I used the config values provided in the tutorial. I realize completing this tutorial most likely does not cover all use-cases, so that could be why it worked with reduced permissions.
Anyway, information on why this is needed is appreciated. Thanks