-
Notifications
You must be signed in to change notification settings - Fork 199
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
default rbac for oap #111
default rbac for oap #111
Conversation
I don't know if there are other oap capabilities that require such permissions. Can you give me some hints, and I can add some documents. @wu-sheng @kezhenxu94 |
@wankai123 I think we need some. |
The permissions are authorized here, only when user needs to monitoring k8s: Should we add these permissions here by default? |
@kezhenxu94 WDYT? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From the configuration perspective, I think it's not that good to let users configure part of the RBAC, which are Role and ClusterRole in this PR.
IMO we'd let users create themselves the Role, ClusterRole, and ServiceAccount as a whole, or we created those for them. And let users only specify ServiceAccount in values.yaml
if they choose create those themselves. If ServiceAccount is set, we don't create those roles and cluster roles, simply use the service account, otherwise create the needed roles and serviceaccount.
The reason behind 👆 is that, ServiceAccount(SA) usually represents all needed RBAC permissions for a deployment/service, users should group the permissions into the SA and designate the SA to our deployment, or allow us to create all needed permissions by ourselves. Letting users configure one part and us configure the other part looks unreasonable and hard to maintain. |
I'm trying to understand your mind, and I'll make some changes later. @kezhenxu94 |
When I used the otel protocol to collect some metrics of k8s, I found that the clusterrole permission is also required, so I optimized the configuration of rbac, and it is no longer used exclusively for envoy als.