You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment
What is the outcome that you are trying to reach?
Adhering to the principle of least privilege is a best practice in Kubernetes RBAC. Spark operator now has a ClusterRole with overly board permissions which can lead to security risks:
Create a ClusterRole for the Spark operator in the release namespace, and create a Role in every namespace where Spark applications are deployed. The ClusterRole should grant permissions to cluster scoped resources such as Node and Lease, while the Role should grant permissions for namespaced resources like SparkApplication, Pod, ConfigMap, and Event.
The RBAC resources for the spark operator should managed by helm, not helm hooks.
Create a ServiceAccount, ClusterRole, and Role specifically for the Spark operator webhook. These should be created by Helm pre-install and pre-upgrade hooks, and should be deleted after the completion of these hooks.
MutatingWebhookConfiguration and ValidatingWebhookConfiguration should be managed by Helm hooks, not spark operator.
Describe alternatives you have considered
Additional context
The text was updated successfully, but these errors were encountered:
Community Note
What is the outcome that you are trying to reach?
ClusterRole
with overly board permissions which can lead to security risks:spark-operator/charts/spark-operator-chart/templates/rbac.yaml
Lines 66 to 84 in 6ded3ac
Describe the solution you would like
Create a
ClusterRole
for the Spark operator in the release namespace, and create aRole
in every namespace where Spark applications are deployed. TheClusterRole
should grant permissions to cluster scoped resources such asNode
andLease
, while theRole
should grant permissions for namespaced resources likeSparkApplication
,Pod
,ConfigMap
, andEvent
.The RBAC resources for the spark operator should managed by helm, not helm hooks.
Create a
ServiceAccount
,ClusterRole
, andRole
specifically for the Spark operator webhook. These should be created by Helmpre-install
andpre-upgrade
hooks, and should be deleted after the completion of these hooks.MutatingWebhookConfiguration
andValidatingWebhookConfiguration
should be managed by Helm hooks, not spark operator.Describe alternatives you have considered
Additional context
The text was updated successfully, but these errors were encountered: