Skip to content

Commit

Permalink
Permission to create servcice account tokens
Browse files Browse the repository at this point in the history 
* We need the ability to create service account token
  because this is required by clientbuilder/controller-manager
  framework which we will be using in 1.21.
* This is required for the CCM to use 1 SA per controller, which
  follows principle of least privilege and makes audit logs easier
  to understand
* Restricts token creation to resource names "node-controller",
  "service-controller", and "route-controller".
  • Loading branch information
@nckturner
nckturner committed May 13, 2021
1 parent 57cd9c9 commit 202f590
Showing 1 changed file with 10 additions and 0 deletions.
10 changes: 10 additions & 0 deletions ...models/cloudup/resources/addons/aws-cloud-controller.addons.k8s.io/k8s-1.18.yaml.template
View file
Original file line number Diff line number Diff line change
Expand Up @@ -145,6 +145,16 @@ rules:
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- serviceaccounts/token
resourceNames:
- "node-controller"
- "service-controller"
- "route-controller"
verbs:
- create
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
Expand Down

0 comments on commit 202f590

Please sign in to comment.