manifests
manifests copied to clipboard
Unnecessary permissions in kubeflow-kubernetes-edit ClusterRole
The kubeflow-kubernetes-edit
ClusterRole, that originated in https://github.com/kubeflow/manifests/pull/388 provides a very broad set of RBAC permissions. I get the impression that it's basically the standard K8S "edit" role with some additional permissions added. This might be justified, but I'm concerned it's not.
I'd prefer to see a more principal-of-least-privilege approach, but I'm keen to clarify if there are any design-docs/decisions about why the permissions need to be quite so broad? (as an example, does the typical kubeflow user really need to be able to create daemonsets?)