fix: Remove cluster admin ClusterRoleBinding and ServiceAccount #24
Conversation
didiladi
requested review from
adriangonciarz,
christian-kreuzberger-dtx and
jetzlstorfer
as code owners
This commit removes the `ClusterRoleBinding` and `ServiceAccount` from the helm chart. The cluster admin access is not needed by the locust service, since it just executes locust without any need to access any resources within the kubernetes cluster. fixes keptn-sandbox#23 Signed-off-by: Dieter Ladenhauf <dieter.ladenhauf@dynatrace.com>
didiladi
force-pushed
the
bugfix/23/remove-cluster-admin
branch
from
b841482
to
36b74df
Compare
|
I think the intention here was to have a helm-chart with values file etc... that looks the same across all services, such that when you install it you can re-use values.yaml files. I agree that we don't need the service account, but I would like to loop in @agrimmer regarding this change. |
|
I like the approach of having a dedicated Service Account for each service. |
|
@agrimmer ok, I see your point. I'm not really concerned about the service account, but that it grants cluster admin access although it actually needs limited access to the kube-api. In my opinion keptn services should follow the principle of least privilege. How about the following solution: Let's introduce a service account tailored to the specific needs of the locust service. By now, it only needs to read secrets from the kube-api-server, so the service account should only allow that. Sounds good? |
This commit removes the
ClusterRoleBindingandServiceAccountfromthe helm chart. The cluster admin access is not needed by the locust
service, since it just executes locust without any need to access any
resources within the kubernetes cluster.
fixes #23