Closed koala7659 closed 4 months ago
This issue or PR has been automatically marked as stale due to the lack of recent activity. Thank you for your contributions.
This bot triages issues and PRs according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, the issue is closedYou can:
/remove-lifecycle stale
/close
If you think that I work incorrectly, kindly raise an issue with the problem.
/lifecycle stale
There is still a dependency to istio-system
namespace. We must address it to avoid pod crashing without the namespace.
This issue has been automatically marked as stale due to the lack of recent activity. It will soon be closed if no further activity occurs. Thank you for your contributions.
This issue has been automatically closed due to the lack of recent activity. /lifecycle rotten
Description
As part of https://github.com/kyma-project/kyma/issues/15915 we have recently updated Compass Runtime Agent service in Kyma to store the secret configuration data inside
kyma-system
namespace and stop using the oldcompass-system
namespace for it.To not affect existing runtimes some specialised code has been written to copy the content of old secrets from
compass-system
namespace into new desired location in secrets inkyma-system
namespace. This migrator code required additional RBAC rules to access data inside multiple namespaces and configuration variables in Compass Runtime Agent deployment.Used ClusterRoleBindings:
After successful migration there is need to maintain old secret migrator code and keep too broad RBAC rules for Compass Runtime Agent service account.
Reason:
To secure Kyma Runtime we should limit the scope of privileges assigned for Kyma components. Removing secret migrator code and related RBAC objects will ensure Compass Runtime Agent cannot not access secrets in different namespaces.
Expected code change:
Related PRs: