Hi,
My customer has requested a review of the postgres-pod ClusterRole to reduce its permissions to the minimum required.
My tests (which probably are not as complete as you may conduct) suggests the following minimal ruleset is sufficient:
rules:
- verbs:
- create
- list
- patch
- watch
apiGroups:
- ""
resources:
- endpoints
- verbs:
- create
apiGroups:
- ""
resources:
- services
- verbs:
- list
- patch
- watch
apiGroups:
- ""
resources:
- podsCompared to the current postgres-pod ClusterRole, this would remove the following verbs:
- endpoints: delete, deletecollection, get, update
- pods: get, update
- services: no change
Would you be willing to conduct an official review of the postgres-pod RBAC permissions with the goal of applying the principle of least privilege?
Thanks' for the work you've put on this operator
Regrads
Hi,
My customer has requested a review of the postgres-pod ClusterRole to reduce its permissions to the minimum required.
My tests (which probably are not as complete as you may conduct) suggests the following minimal ruleset is sufficient:
Compared to the current postgres-pod ClusterRole, this would remove the following verbs:
Would you be willing to conduct an official review of the postgres-pod RBAC permissions with the goal of applying the principle of least privilege?
Thanks' for the work you've put on this operator
Regrads