surahman edited a comment on pull request #3710: URL: https://github.com/apache/incubator-heron/pull/3710#issuecomment-932636387
I am not sure if you tried this but think we need to set up a [`Service Account`](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) and assign it to the Heron API Server Pod. We then bind the Role to the `Service Account` [like so](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-subjects). From [Stack Overflow](https://stackoverflow.com/questions/52995962/kubernetes-namespace-default-service-account): > 5. The default permissions for a service account don't allow it to list or modify any resources. The default service account isn't allowed to view cluster state let alone modify it in any way. **_Edit:_** It appears as though the `ClusterRoles` and `ServiceAccount` are in the K8s configs for the [Heron API Server](https://raw.githubusercontent.com/apache/incubator-heron/master/deploy/kubernetes/minikube/apiserver.yaml). This makes life a lot easier with only the following being additionally required: <details> <summary>Role</summary> ```yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: heron-apiserver-configmap-role namespace: default rules: - apiGroups: - "" resources: - configmaps verbs: - get - watch - list ``` </details> <details> <summary>RoleBinding</summary> ```yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: heron-apiserver-configmap-rolebinding namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: heron-apiserver-configmap-role subjects: - kind: ServiceAccount name: heron-apiserver namespace: default ``` </details> I think it would be safe to add these to the Heron API Server K8s configs because it is adequately restrictive. I am not sure if both a `ClusterRole` and `Role` can be assigned at the same time, if not we would need to aggregate into the `ClusterRole`. The `ClusterRole` has a reference to the `cluster-admin` and I believe this is why it can submit topologies. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
