semi-off-topic but for those of you doing Pulumi/K...
# general
o
semi-off-topic but for those of you doing Pulumi/K8s - what's a good baseline for creating/understanding the RBAC role an application should have in its namespace?
c
What kind of guidelines are you looking for?
Generally you want roles to be as restrictive as possible
o
guess it really depends on the application. I'll review all the possible apiGroups and resources and track down some examples
c
typically you separate infrastructure and apps, and really lock down infrastructure.
o
what are the implications of that... it blurs when a lot of these sample/canonical Helm charts set up the service accounts and RBAC it appears
c
Usually they expose options to plug into existing infrastructure.
I’m not sure how to answer the question though.
is that where the create: true/false comes in
?
serviceAccounts: alertmanager: create: true name: kubeStateMetrics: create: true name: nodeExporter: create: true name: pushgateway: create: true name: server: create: true name:
c
yeah, usually there is a flag like that.
o
ok - so for example, the prometheus core server:
creation of the clusterrole
c
yeah, I suppose
anyway, the main thing is that this makes some things harder to do.