surahman edited a comment on pull request #3710: URL: https://github.com/apache/incubator-heron/pull/3710#issuecomment-930428115
A very quick attempt at setting up `RBAC` for K8s. We need to get the K8s API key and I am unsure if this is already in the `configuration` object. There is a `setSecretKeyRefs` but this is setting up environment variables for the containers. I have not wired the `configureRBAC` into the `V1Controller` constructor yet until I can get the K8s API key set up in the routine. **_Edit:_** It appears as though the `ClusterRoles` and `ServiceAccount` are in the K8s configs for the [Heron API Server](https://raw.githubusercontent.com/apache/incubator-heron/master/deploy/kubernetes/minikube/apiserver.yaml). This makes life a lot easier with only the following being additionally required: <details> <summary>Role</summary> ```yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: heron-apiserver-configmap-role namespace: default rules: - apiGroups: - "" resources: - configmaps verbs: - get - watch - list ``` </details> <details> <summary>RoleBinding</summary> ```yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: heron-apiserver-configmap-rolebinding namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: heron-apiserver-configmap-role subjects: - kind: ServiceAccount name: heron-apiserver namespace: default ``` </details> I think it would be safe to add these to the Heron API Server K8s configs because it is adequately restrictive. I am not sure if both a `ClusterRole` and `Role` can be assigned at the same time, if not we would need to aggregate into the `ClusterRole`. The `ClusterRole` has a reference to the `cluster-admin` and I believe this is why it can submit topologies. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
