No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

What kind of guidelines are you looking for?

Generally you want roles to be as restrictive as possible

guess it really depends on the application.  I'll review all the possible apiGroups and resources and track down some examples

typically you separate infrastructure and apps, and _really_ lock down infrastructure.

what are the implications of that... it blurs when a lot of these sample/canonical Helm charts set up the service accounts and RBAC it appears

Usually they expose options to plug into existing infrastructure.

I’m not sure how to answer the question though.

<https://github.com/helm/charts/blob/master/stable/prometheus/values.yaml>

is that where the create: true/false comes in

serviceAccounts:
  alertmanager:
    create: true
    name:
  kubeStateMetrics:
    create: true
    name:
  nodeExporter:
    create: true
    name:
  pushgateway:
    create: true
    name:
  server:
    create: true
    name:

ok - so for example, the prometheus core server:

<https://github.com/helm/charts/blob/master/stable/prometheus/templates/server-clusterrole.yaml>

anyway, the main thing is that this makes some things harder to do.