Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Drop cluster-admin for eventing controller #207

Closed
mattmoor opened this issue Jul 17, 2018 · 4 comments
Closed

Drop cluster-admin for eventing controller #207

mattmoor opened this issue Jul 17, 2018 · 4 comments
Milestone
v0.5.0

Comments

@mattmoor
Copy link
Member

This is configured here.

In Serving we create a custom role here.

cc @vaikas-google
@evankanderson
Copy link
Member

From #113 :

Don't give a cluster-admin to binder service account. The README mentions that you shouldn't run in prod, but as pointed out by @scothis , there are people who will not read that :) So, as a follow on PR, we should tighten up the permissions that we use in our examples to be bare minimum.

@evankanderson evankanderson mentioned this issue Jul 19, 2018
Closed
@scothis scothis mentioned this issue Aug 13, 2018
Closed
scothis added a commit to scothis/eventing that referenced this issue Aug 15, 2018
@scothis
Move bus deployments to knative-eventing
3b8edf0 
Buses can create dispatcher and provision deployments. Previously, these
deployments were created in the same namespace as the Bus resource,
which required RBAC rules to be configured to enable the deployments to
read and update Bus, Channel and Subscription resources.

By moving these deployments into the knative-eventing system namespace,
we can use a pre-determined service account and RBAC configuration.
Since the bus-controller no longer needs to create service accounts and
role bindings, the controller can run with reduced privillage (follow
 knative#207 for that change).

Fixes knative#349
scothis added a commit to scothis/eventing that referenced this issue Aug 15, 2018
@scothis
Move bus deployments to knative-eventing
1f05e67 
Buses can create dispatcher and provision deployments. Previously, these
deployments were created in the same namespace as the Bus resource,
which required RBAC rules to be configured to enable the deployments to
read and update Bus, Channel and Subscription resources.

By moving these deployments into the knative-eventing system namespace,
we can use a pre-determined service account and RBAC configuration.
Since the bus-controller no longer needs to create service accounts and
role bindings, the controller can run with reduced privillage (follow
 knative#207 for that change).

Fixes knative#349
@scothis scothis mentioned this issue Aug 15, 2018
Merged
knative-prow-robot pushed a commit that referenced this issue Aug 15, 2018
@scothis @knative-prow-robot
Move bus deployments to knative-eventing (#359)
320a40c 
* Move bus deployments to knative-eventing

Buses can create dispatcher and provision deployments. Previously, these
deployments were created in the same namespace as the Bus resource,
which required RBAC rules to be configured to enable the deployments to
read and update Bus, Channel and Subscription resources.

By moving these deployments into the knative-eventing system namespace,
we can use a pre-determined service account and RBAC configuration.
Since the bus-controller no longer needs to create service accounts and
role bindings, the controller can run with reduced privillage (follow
 #207 for that change).

Fixes #349

* Update logging instructions
@vaikas vaikas added this to the v0.4.0 milestone Jan 4, 2019
@vaikas vaikas modified the milestones: v0.4.0, v0.5.0 Mar 6, 2019
@evankanderson
Copy link
Member

This is a dup of #749

@evankanderson
Copy link
Member

/close

@knative-prow-robot
Copy link
Contributor

@evankanderson: Closing this issue.

In response to this:

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v0.5.0
Development

No branches or pull requests
4 participants
@mattmoor @evankanderson @vaikas @knative-prow-robot