default rbac for oap #111
default rbac for oap #111
Conversation
|
I don't know if there are other oap capabilities that require such permissions. Can you give me some hints, and I can add some documents. @wu-sheng @kezhenxu94 |
|
@wankai123 I think we need some. |
|
The permissions are authorized here, only when user needs to monitoring k8s: Should we add these permissions here by default? |
|
|
|
@kezhenxu94 WDYT? |
There was a problem hiding this comment.
From the configuration perspective, I think it's not that good to let users configure part of the RBAC, which are Role and ClusterRole in this PR.
IMO we'd let users create themselves the Role, ClusterRole, and ServiceAccount as a whole, or we created those for them. And let users only specify ServiceAccount in values.yaml if they choose create those themselves. If ServiceAccount is set, we don't create those roles and cluster roles, simply use the service account, otherwise create the needed roles and serviceaccount.
|
The reason behind 👆 is that, ServiceAccount(SA) usually represents all needed RBAC permissions for a deployment/service, users should group the permissions into the SA and designate the SA to our deployment, or allow us to create all needed permissions by ourselves. Letting users configure one part and us configure the other part looks unreasonable and hard to maintain. |
|
I'm trying to understand your mind, and I'll make some changes later. @kezhenxu94 |
When I used the otel protocol to collect some metrics of k8s, I found that the clusterrole permission is also required, so I optimized the configuration of rbac, and it is no longer used exclusively for envoy als.