grafana-operator icon indicating copy to clipboard operation
grafana-operator copied to clipboard

Published 20 hours ago verified publisher icon grafana

Add proposal for grafanaserviceaccount crd

Open MickeHedlund opened this issue 1 year ago • 1 comments

My design document over a proposed Grafana Service Accounts as CRD as discussed in issue 1388

MickeHedlund avatar Feb 13 '24 08:02 MickeHedlund

CLA assistant check
All committers have signed the CLA.

CLAassistant avatar Feb 13 '24 08:02 CLAassistant

From a security point of view I'm relatively worried about this, since anyone having the possibility to create a GSA CRD would have the possibility to become admin in any instance they want to. I'm hesitant if we even should allow crossnamespace access for this resource.

For a secret name, I'm leaning towards not letting the user providing the secret name where the token will reside. Instead, I would build it up from the name of the <GSA-CRD-name>-<GSA-grafana-instancename>-<SA-id> to make sure that the secret name is always unique, or something like that. The secret key could then just be the same as token name.

I think it would be good if we can get an example on how the secret should look like depending on the tokens.

NissesSenap avatar Feb 24 '24 15:02 NissesSenap

Do you need me to fix the trailing white spaces and update the branch?

MickeHedlund avatar Mar 18 '24 11:03 MickeHedlund

If you can it would be great

NissesSenap avatar Mar 18 '24 17:03 NissesSenap

I think everything should be fixed now

MickeHedlund avatar Mar 19 '24 12:03 MickeHedlund