You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
At minimum, it would be nice to have an explanation of what's going on that seems to require these permissions. Better would be to be a bit more verbose about what secrets, CRDs, etc that actually need to be managed.
Describe alternatives you've considered
Disabling unsavory permissions until I've had a chance to review the code and/or see errors in the logs.
Additional context
n/a
The text was updated successfully, but these errors were encountered:
Please describe your use case / problem.
A review of the RBAC permissions given to the edge-stack pods seems overly permissive. Here are some examples:
https://github.com/emissary-ingress/emissary/blob/5e03b912c048c2db25763dbf77265792199ebbad/charts/emissary-ingress/templates/rbac.yaml#L87-L90
https://github.com/datawire/edge-stack/blob/main/charts/edge-stack/templates/rbac.yaml#L27-L29
Does this actually need to read every secret in every namespace?
Similarly, its allowed to delete any CRD.
Describe the solution you'd like
At minimum, it would be nice to have an explanation of what's going on that seems to require these permissions. Better would be to be a bit more verbose about what secrets, CRDs, etc that actually need to be managed.
Describe alternatives you've considered
Disabling unsavory permissions until I've had a chance to review the code and/or see errors in the logs.
Additional context
n/a
The text was updated successfully, but these errors were encountered: