Use migration-controller SA instead of mig SA for remote connection

Question

Use migration-controller SA instead of mig SA for remote connection

Closed this issue 5 years ago · 2 comments

We just ran into a confusing issue where GVR was working when the controller was running on the destination 4 cluster but no the source 3 cluster.

The reason is that the controller when running on the destination is making calls against the source it is using the mig SA token which is more privileged (basically full cluster-admin).

When the controller is running on the source cluster making queries against the source it's using the migration-controller SA.

The proposal is, when time permits, to make an update that creates the migration-controller SA regardless of whether the migration-controller is installed, drop the mig SA, and instruct users to use this SA token for the controller remote connection so the permissions are identical on both sides

Answer 1 · 2020-03-12T16:08:14.000Z

@eriknelson @Danil-Grigorev @jwmatthews

Answer 2 · 2020-03-13T01:51:12.000Z

This aligns with the non-admin work to scope down the mig SA to a reasonable clusterrole rather than cluster-admin. Using the mig-controller SA makes a lot of sense to accomplish this. Will take this on this sprint.