Affected Stackable version
Any (at least up until and including SDP 26.3)
Affected OpenPolicyAgent version
N/A
Current and expected behavior
Currently, the bundle-builder uses the operator service account, and therefore inherits operator permissions.
It should use it's own service account and be bound to the ClusterRole defined in deploy/helm/opa-operator/templates/clusterrole-opa-builder.yaml so it has only the necessary permissions to perform its function.
Possible solution
- Drop the unused ClusterRole
- Adjust the operator code so that the bundle-builder ClusterRole is used.
Option 2 is probably better, because it at least shows what is needed by the bundle-builder - and allows for architectural changes (like the bundle builder running outside of the OPA cluster pod if that was ever a possibility).
In either case, the comments in 5dc06db will need to be updated.
Additional context
Originally found here: #820 (comment)
Environment
No response
Would you like to work on fixing this bug?
maybe
Affected Stackable version
Any (at least up until and including SDP 26.3)
Affected OpenPolicyAgent version
N/A
Current and expected behavior
Currently, the bundle-builder uses the operator service account, and therefore inherits operator permissions.
It should use it's own service account and be bound to the ClusterRole defined in
deploy/helm/opa-operator/templates/clusterrole-opa-builder.yamlso it has only the necessary permissions to perform its function.Possible solution
Option 2 is probably better, because it at least shows what is needed by the bundle-builder - and allows for architectural changes (like the bundle builder running outside of the OPA cluster pod if that was ever a possibility).
In either case, the comments in 5dc06db will need to be updated.
Additional context
Originally found here: #820 (comment)
Environment
No response
Would you like to work on fixing this bug?
maybe