Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Separate permissions for calico/node and calico/cni #5921

Closed
caseydavenport opened this issue Apr 15, 2022 · 0 comments
Closed

Separate permissions for calico/node and calico/cni #5921

caseydavenport opened this issue Apr 15, 2022 · 0 comments

Comments

@caseydavenport
Copy link
Member

Expected Behavior

As discussed here: #5910 (comment)

We can introduce a service account specifically for our CNI plugin - this would be a nice improvement rather than sharing serviceaccounts between calico/node and the CNI plugin, since they required similar but ultimately different permissions.

Current Behavior

serviceaccount and RBAC resources shared beteween calico/node and CNI plugin.

Possible Solution

  • Add new calico-cni serviceaccount, clusterrole, and binding.
  • Split out permissions and tidy up calico-node RBAC resources.
  • Make sure upgrade works alright (may need a grace period where both get the superset of permissions)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant