provider-gcp
provider-gcp copied to clipboard
Document exactly what set of permissions is needed for a specific CRD
What problem are you facing?
Users would like to give the least possible set of permissions to ServiceAccount
they use but they end up granting wider roles than necessary. For example CloudSQL Admin
role includes making SQL queries but controller never does that.
How could Crossplane help solve your problem?
We can annotate CRDs with the set of permissions controller may ever need, similar to https://github.com/crossplane/provider-aws/issues/514
It seems that permissions are on call granularity in GCP similar to AWS. You can see examples here. So, by analyzing the controller code statically and with some string manipulation, we might be able to generate the list of permissions needed and annotate the final CRD.