Describe the solution you'd like
limitAggregateUsage currently won't work if credentials do not have cluster admin permissions. It does makes sense that it needs cluster permissions but cluster admin seems like a lot of permissions when the SVM is specifically done for this.
Maybe some cluster-viewer role?
Describe alternatives you've considered
None with out current practices.
I guess assigning an aggregate to a certain SVM would limit impacting other aggregates, however it could still impact itself if it doesn't have capacity awareness.
Additional context
-
cluster-admin is required for using the limitAggregateUsage
-
if k8s cluster credentials get compromised it could be used with malicious intent
-
Would be desired to have a limited user (vsadmin) that can have access to read the aggregate limit to avoid aggregate over committing.
-
Priority: Cannot go production w/ Trident as I cannot use cluster-admin for it. This a security risk.
Describe the solution you'd like
limitAggregateUsage currently won't work if credentials do not have cluster admin permissions. It does makes sense that it needs cluster permissions but cluster admin seems like a lot of permissions when the SVM is specifically done for this.
Maybe some cluster-viewer role?
Describe alternatives you've considered
None with out current practices.
I guess assigning an aggregate to a certain SVM would limit impacting other aggregates, however it could still impact itself if it doesn't have capacity awareness.
Additional context
cluster-admin is required for using the limitAggregateUsage
if k8s cluster credentials get compromised it could be used with malicious intent
Would be desired to have a limited user (vsadmin) that can have access to read the aggregate limit to avoid aggregate over committing.
Priority: Cannot go production w/ Trident as I cannot use cluster-admin for it. This a security risk.