All components use the default service account right now which is problematic from a security standpoint, as in GCP for example through workload identity the object storage bucket permissions are given through the service account, so even components that don't need object storage access get it currently.
I'll prepare a PR to create a ServiceAccount per component.
brancz
commented
3 years ago
All components use the default service account right now which is problematic from a security standpoint, as in GCP for example through workload identity the object storage bucket permissions are given through the service account, so even components that don't need object storage access get it currently.
I'll prepare a PR to create a ServiceAccount per component.
@kakkoyun @metalmatze