rickchengx commented on pull request #4174: URL: https://github.com/apache/zeppelin/pull/4174#issuecomment-901839227
> In my opinion an additional step should be needed to give the Zeppelin server more rights on a namespace via a RoleBinding. Creating a ClusterRoleBinding gives too many rights to the zeppelin-server. With a ClusterRoleBinding the Zeppelin server has rights in namespaces that are not used by the Zeppelin server at all. Sorry for the late response. I agree that `clusterrole` may gives too many rights to the zeppelin server. But the zeppelin server pod uses the service account created in <https://github.com/apache/zeppelin/blob/master/k8s/zeppelin-server.yaml#L199>, which is a namespaced resource. Assuming that the zeppelin server and its service account are created in `default` namespace. And if the `zeppelin-server.yaml` uses the `rolebinding` to obtain the permissions in another namespace (such as `spark`), it cannot find the created service account in `default` namespace. Or is there other ways to set the separate namespace with `role` and `rolebinding`? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@zeppelin.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
