Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unused ClusterRole knative-serving-istio #995

Open
a7i opened this issue Oct 7, 2022 · 2 comments
Open

Unused ClusterRole knative-serving-istio #995

a7i opened this issue Oct 7, 2022 · 2 comments
Labels
kind/enhancement lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. triage/accepted Issues which should be fixed (post-triage)

Comments

@a7i
Copy link

a7i commented Oct 7, 2022
edited

ClusterRole knative-serving-istio seems to not be binding to any RoleBinding/ClusterRoleBindings.
https://github.com/knative-sandbox/net-istio/blob/main/config/200-clusterrole.yaml

net-istio-controller Deployment is using the ServiceAccount controller which is used by the knative-serving Controller. This ServiceAccount already has the following permissions from ClusterRole knative-serving-admin

- apiGroups:
  - networking.istio.io
  resources:
  - virtualservices
  - gateways
  - destinationrules
  verbs:
  - get
  - list
  - create
  - update
  - delete
  - patch
  - watch

It would be ideal for net-istio-controller to use its own ServiceAccount with its own permissions and follow the principle of least privilege
@a7i a7i changed the title ClusterRle knative-serving-istio ClusterRole knative-serving-istio Oct 7, 2022
@a7i a7i changed the title ClusterRole knative-serving-istio Unused ClusterRole knative-serving-istio Oct 7, 2022
@github-actions
Copy link

github-actions bot commented Jan 6, 2023

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Reopen the issue with /reopen. Mark the issue as
fresh by adding the comment /remove-lifecycle stale.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 6, 2023
@dprotaso
Copy link
Contributor

dprotaso commented Feb 2, 2023

/lifecycle frozen

@knative-prow knative-prow bot added lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Feb 2, 2023
@ReToCode ReToCode added kind/enhancement triage/accepted Issues which should be fixed (post-triage) labels Feb 15, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/enhancement lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. triage/accepted Issues which should be fixed (post-triage)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dprotaso @a7i @ReToCode