-
Notifications
You must be signed in to change notification settings - Fork 143
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ClusterRole rules are too permissive #75
Comments
Under the hood, the exporter is using "EnhancedEvent". Meaning it is reading and attaching the whole |
Would it be possible to toggle this functionality to allow the exporter to work in more restrictive environments? |
Hey @jpuskar, simply disabling that in the cluster role will break the exporter once an event is created with a custom resource as the object ref. You can try to drop the permissions and see you it is broken in your particular cluster. Actual code feature-toggle technically can be added. |
role.yaml
ClusterRole rules are too permissive! The service account does not need to be able to get, watch, list everything (e.g., secrets). The default should include only what is necessary for the software to function (i.e., events).
If we could configure the rules from the values.yaml that would be awesome.
The text was updated successfully, but these errors were encountered: