surahman edited a comment on pull request #3710: URL: https://github.com/apache/incubator-heron/pull/3710#issuecomment-932636387
I am not sure if you tried this but think we need to set up a [`Service Account`](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) and assign it to the Heron API Server Pod. We then bind the Role to the `Service Account` [like so](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-subjects). From [Stack Overflow](https://stackoverflow.com/questions/52995962/kubernetes-namespace-default-service-account): > 5. The default permissions for a service account don't allow it to list or modify any resources. The default service account isn't allowed to view cluster state let alone modify it in any way. **_Edit:_** It appears as though the `ClusterRoles` and `ServiceAccount` are in the K8s configs for the Heron API Server: * [General](https://github.com/apache/incubator-heron/blob/master/deploy/kubernetes/general/apiserver.yaml) * [Minikube](https://github.com/apache/incubator-heron/blob/master/deploy/kubernetes/minikube/apiserver.yaml) This makes life a lot easier with only the following being additionally required: <details> <summary>Role</summary> ```yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: heron-apiserver-configmap-role namespace: default rules: - apiGroups: - "" resources: - configmaps verbs: - get - watch - list ``` </details> <details> <summary>RoleBinding</summary> ```yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: heron-apiserver-configmap-rolebinding namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: heron-apiserver-configmap-role subjects: - kind: ServiceAccount name: heron-apiserver namespace: default ``` </details> I think it would be safe to add these to the Heron API Server K8s configs because it is adequately restrictive. It would be very unwise of anyone to place sensitive information in a general resource in any namespace, they should be using a `Secret`, and I believe we should not be opening a security loophole here. I also believe it is possible to assign multiple `Role`s and `ClusterRole`s to the same `ServiceAccount`. RBAC is additive and only whitelists permissions. @nicknezis, when you have some time, could you please once-over the `Role`s and test? If all is well I can update the K8s deployment scripts. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
