limit manager's permission to align with the principle of least privilege

Question

limit manager's permission to align with the principle of least privilege

bjwswang opened this issue a year ago · 1 comments

Since we use user's own identity to hanlde component installation,we should limit manager's permission to align with the principle of least privilege

Answer 1 · 2023-08-29T03:44:44.000Z

The componentplan requires sufficient permissions to complete the deployment of components. We use Creator(filled by webhook) to make sure the controller uses creator's permission to finish the deployment.

If we remove create/update/delete permissions of services,deployments,pods,secrets,etc from core operator, it won't work any more if webhook is disabled.
let's keep cluster admin to core until we found a better solution