https://pulumi.com logo
#general
Title
# general
o

orange-tailor-85423

11/20/2018, 10:59 PM
semi-off-topic but for those of you doing Pulumi/K8s - what's a good baseline for creating/understanding the RBAC role an application should have in its namespace?
c

creamy-potato-29402

11/20/2018, 11:00 PM
What kind of guidelines are you looking for?
Generally you want roles to be as restrictive as possible
o

orange-tailor-85423

11/20/2018, 11:12 PM
guess it really depends on the application. I'll review all the possible apiGroups and resources and track down some examples
c

creamy-potato-29402

11/20/2018, 11:18 PM
typically you separate infrastructure and apps, and really lock down infrastructure.
o

orange-tailor-85423

11/20/2018, 11:19 PM
what are the implications of that... it blurs when a lot of these sample/canonical Helm charts set up the service accounts and RBAC it appears
c

creamy-potato-29402

11/20/2018, 11:19 PM
Usually they expose options to plug into existing infrastructure.
I’m not sure how to answer the question though.
is that where the create: true/false comes in
?
serviceAccounts: alertmanager: create: true name: kubeStateMetrics: create: true name: nodeExporter: create: true name: pushgateway: create: true name: server: create: true name:
c

creamy-potato-29402

11/20/2018, 11:21 PM
yeah, usually there is a flag like that.
o

orange-tailor-85423

11/20/2018, 11:23 PM
ok - so for example, the prometheus core server:
creation of the clusterrole
c

creamy-potato-29402

11/20/2018, 11:32 PM
yeah, I suppose
anyway, the main thing is that this makes some things harder to do.