michaeljmarshall commented on issue #19771: URL: https://github.com/apache/pulsar/issues/19771#issuecomment-1470435012
Great points about the integration. At this point, I think it makes sense to skip the integration with the TokenReview API. The design could be such that a future addition could add it if deemed necessary/valuable. > Also, one can control the token TTL in the function pod spec, so you can limit the exposure. Makes sense. Are you thinking we should let the function worker create the service accounts? I hadn't considered that option. In your opinion, how configurable should that be? Creating service accounts requires an increased permission on the function worker within the k8s cluster, which introduces a new risk because a function worker could then potentially be used to create service accounts with excessive permissions. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
