[Strimzi] Cluster operator privileges
Daniel Beilin
dandaniel97 at gmail.com
Tue Nov 27 12:38:05 UTC 2018
Thank you so much for your detailed responce! it clarifies many things.
Daniel
On Tue, Nov 27, 2018, 14:24 Jakub Scholz <jakub at scholz.cz> wrote:
> Hi Daniel,
>
> Strimzi is using secrets for certificates etc. So we do need the access to
> them. That said, the access to secrets is limited to the namespace where
> the operators watch for the custom resources / manage the clusters. So you
> can easily limit it to be able to access the secrets only for given
> namespace. That way you should be able to ensure that it will not have
> access to any secrets whcih do not belong to it (if oyu use namespace
> dedicated for Strimzi / Kafka).
>
> The permissions we have in the installation files should be created based
> on what we really need. I do not think there is much space to cut them
> down. You can remove the cluster roles for reading node labels if you do
> not plan to use the rack awareness feature or expose Kafka outside of your
> Kubernetes cluster using node ports.
>
> Thanks & Regards
> Jakub
>
> On Tue, Nov 27, 2018 at 1:14 PM Daniel Beilin <dandaniel97 at gmail.com>
> wrote:
>
>> I work in an organization that has strict security, we are trying to
>> implement strimzi and we are worried about the cluster role privileges that
>> are granted. specifically about the permission to read and write and edit
>> client secrets. Is it necessary to give it those permissions? furthermore
>> is it a possibility to harden those permissions?
>>
>> thank you in advance,
>> daniel
>>
> _______________________________________________
>> Strimzi mailing list
>> Strimzi at redhat.com
>> https://www.redhat.com/mailman/listinfo/strimzi
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/strimzi/attachments/20181127/b968e082/attachment.htm>
More information about the Strimzi
mailing list