Open zhlsunshine opened 1 month ago
@yongfengdu would you kindly provide your opinion on this issue. Perhaps an alternate suggestion. Does it make sense to have a single service account for GMC?
I'm not expert on security, so I think the best way is to leave the decision to k8s cluster admin(To modify default policy or create new one) or workload deployer. To implement a RBAC for ChatQnA might improve the security a little by default, but without a thorough security review, it's hard to say how "Secure" our deployment is, and it should not be trusted by the deployer. To summarize, I think implement the RBAC in current phase would introduce additional complexity and maintenance effort with little benefits.
@yongfengdu I guess the use of rbac here is for GMC to access the k8s API objects. I think we have 2 options here:
Hi Team,
There should be the ServiceAccount RBAC setting for all ChatQnA microservices under a namespace, eg gmc rbac. However, I can not find such setting configurations in ChatQnA. There are 2 suggestions for this: