Split kuryr-controller and kuryr-cni ServiceAccounts
Bug #1764783 reported by
Michal Dulko
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
kuryr-kubernetes |
Fix Released
|
Low
|
Tabitha Fasoyin |
Bug Description
When introducing containerized Kuryr deployment we've only needed ServiceAccount for kuryr-controller Pod, as only it was connecting to K8s API. Now with kuryr-daemon being the default the kuryr-cni Pod needs ServiceAccount as well. We've used existing kuryr-controller SA, but those two should be split into two SA restricted only to paths that each of the containers needs (e.g. kuryr-cni doesn't need access to Service resource).
Besides that in case of OpenShift only kuryr-cni SA should require access to root privileges.
tags: | added: low-hanging-fruit |
Changed in kuryr-kubernetes: | |
status: | New → Confirmed |
assignee: | nobody → Tabitha Fasoyin (tabbie-fash) |
To post a comment you must log in.
Fix proposed to branch: master /review. opendev. org/759600
Review: https:/