Skip to content

Unused ClusterRole knative-serving-istio #995

New issue
New issue
Open
Open
Unused ClusterRole knative-serving-istio#995
Labels
kind/enhancementlifecycle/frozenIndicates that an issue or PR should not be auto-closed due to staleness.triage/acceptedIssues which should be fixed (post-triage)
@a7i

Description

@a7i
a7i
opened on Oct 7, 2022

ClusterRole knative-serving-istio seems to not be binding to any RoleBinding/ClusterRoleBindings.
https://github.com/knative-sandbox/net-istio/blob/main/config/200-clusterrole.yaml

net-istio-controller Deployment is using the ServiceAccount controller which is used by the knative-serving Controller. This ServiceAccount already has the following permissions from ClusterRole knative-serving-admin

- apiGroups:
  - networking.istio.io
  resources:
  - virtualservices
  - gateways
  - destinationrules
  verbs:
  - get
  - list
  - create
  - update
  - delete
  - patch
  - watch

It would be ideal for net-istio-controller to use its own ServiceAccount with its own permissions and follow the principle of least privilege

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/enhancementlifecycle/frozenIndicates that an issue or PR should not be auto-closed due to staleness.triage/acceptedIssues which should be fixed (post-triage)

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions