-
Notifications
You must be signed in to change notification settings - Fork 50
Minimal Permissions for Azure/GCP/OpenStack Shoot Clusters #133
Comments
Is there anything else to be done @dkistner, @DockToFuture, @rfranzke, @afritzler or can we close this one? E.g. Azure seems to have a pretty coarse-grained permission model. Not sure whether we can do much for GCP and OpenStack either. AWS offered a lot, but we explored/exploted that in detail already. |
For Azure there are some efforts to run the kubelet without any platform access, see here: kubernetes/kubernetes#77309 If this works, then we should stay with the For interested users we could provide a guide with the minimal permission which Gardener require described. The user have to create a role and assign it to the service principal which is passed to Gardener. |
Good news, good news indeed! |
Replaced with individual issues in dedicated provider repositories. |
We have narrowed down the access permissions for AWS shoot clusters (potential remainder tracked in #178), but not yet for Azure, GCP and OpenStack, which this ticket is now about. We expect less success on these infrastructures as AWSes permision/policy options are very detailed. This may break the "shared account" idea on these infrastructures (Azure and GCP - OpenStack can be mitigated by programmatically creating tenants on the fly).
The text was updated successfully, but these errors were encountered: