Request: Review and minimize postgres-pod RBAC permissions

Hi,

My customer has requested a review of the postgres-pod ClusterRole to reduce its permissions to the minimum required.

My tests  (which probably are not as complete as you may conduct) suggests the following minimal ruleset is sufficient:

```yaml
rules:
  - verbs:
      - create
      - list
      - patch
      - watch
    apiGroups:
      - ""
    resources:
      - endpoints
  - verbs:
      - create
    apiGroups:
      - ""
    resources:
      - services
  - verbs:
      - list
      - patch
      - watch
    apiGroups:
      - ""
    resources:
      - pods
```

Compared to the [current postgres-pod ClusterRole](https://github.com/zalando/postgres-operator/blob/master/manifests/operator-service-account-rbac.yaml), this would remove the following verbs:

```
   - endpoints: delete, deletecollection, get, update
   - pods: get, update
   - services: no change
```

Would you be willing to conduct an official review of the postgres-pod RBAC permissions with the goal of applying the principle of least privilege?


Thanks' for the work you've put on this operator
Regrads

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Request: Review and minimize postgres-pod RBAC permissions #3057

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Request: Review and minimize postgres-pod RBAC permissions #3057

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions