You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
Installing the Pixie operator currently deploys a clusterrole which allows the operator to create other clusterroles when deploying Vizier. This is because Vizier itself requires a clusterrole to allow it to list nodes/namespaces.
It is better to restrict the operator's clusterrole permissions, as this can be used to create more permissive clusterroles.
Expected behavior
Having the Vizier clusterrole to list nodes/namespaces is still a requirement in Pixie. However, we should investigate updating the operator so that it deploys with those clusterroles off-the-bat, rather than having the ability to create new clusterroles.
The text was updated successfully, but these errors were encountered:
Describe the bug
Installing the Pixie operator currently deploys a clusterrole which allows the operator to create other clusterroles when deploying Vizier. This is because Vizier itself requires a clusterrole to allow it to list nodes/namespaces.
It is better to restrict the operator's clusterrole permissions, as this can be used to create more permissive clusterroles.
Expected behavior
Having the Vizier clusterrole to list nodes/namespaces is still a requirement in Pixie. However, we should investigate updating the operator so that it deploys with those clusterroles off-the-bat, rather than having the ability to create new clusterroles.
The text was updated successfully, but these errors were encountered: