Comments (3)
Being explicit also allows different use-cases.
Lets say i have a multi tenant cluster and i have components in namespaces of tenant x that need to access namespaces of tenant y.
If i dont have a seperate labelSelector for SA and RoleBinding creation i run into the issue that i have overly broad RBAC
from rbac-manager.
First glance, I think this is really similar (or the same) as #137.
The potential implementation seems different though. In the other issue, I think the desired outcome is that a serviceAccount that has a rolebinding with a label selector automatically triggers creation of the serviceaccount in all the namespaces matched.
This one seems to suggest sort of the opposite? I think we should decide on which is the desired implementation. Personally I lean towards the idea of "if there are multiple namespaces with rolebindings, we create the serviceaccount in each namespace.
What do you think?
from rbac-manager.
Yes, the implementation is different. I strongly prefer only creating SAs where explicitly wanted, as granular as possible.
Having SAs automatically created in all namespaces matching that binding might be an security issue in some deployments.
from rbac-manager.
Related Issues (20)
- [FEATURE] automatic Role generation for CRDs HOT 1
- Rolebinding is not created if used namespace does not exist yet HOT 5
- Cannot install rbac-manager using Helm and RBACDefinition with Terraform HOT 3
- Add a Namespace scoped version of RBACDefinition HOT 1
- v1.1.1 has several vulnerability issues
- EKS upgrade to 1.22 HOT 4
- RoleBinding subjects not updated when RBACDefinition subjects changed to empty array. HOT 7
- [Feature Request] Expiring RBAC Definitons HOT 1
- Get kubeconfig file HOT 1
- Vulnerabilities found on v1.4.0 HOT 5
- [Feature Request] Matching namespaces with regular expressions HOT 2
- go get fails with `invalid github.com import path` error HOT 2
- ValidationError(RBACDefinition.rbacBindings[0].subjects[0]): unknown field "automountServiceAccountToken" HOT 1
- Better handling of pre-existing service accounts by the rbac-manager operator HOT 2
- Time-based role bindings HOT 3
- Need help for implementing this in my scenario. HOT 2
- SA creating-deleting loop on OpenShift/OKD HOT 7
- if startup is slow a warning/error occurs: [controller-runtime] log.SetLogger(...) was never called HOT 3
- [Feature Request] Allow adding annotations to ServiceAccounts HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rbac-manager.