← Back to all posts

Worker pool controller can use different service accounts for plans and applies

This is a request regarding the Kubernetes Worker Pool controller.

Scenario

  • A Stack StackX with two AWS integrations, IntRead , used for plans, with role InfraRead and IntWrite , used for applies, with role InfraWrite.

  • Stack StackX has a worker pool with "Assume role on Worker" enabled.


Feature request
The idea here is that e.g. ServiceAccountA has permissions to assume InfraRead and ServiceAccountB has permissions to assume InfraWrite . It would be great if the controller could manage giving a different service account depending whether the run will be using the Read or the Write cloud integration.

This would allow for better separation of permissions. After all the pod using read does not need to have a Service account that could be granting it access to the write role.

Workaround
A workaround would be using an admission controller to replace the service account, but it is not clear if one can identify whether a pod will do read or write, except for (maybe?) the name of the pod... but that feels a bit too hacky.
Problem
-

Please authenticate to join the conversation.

Upvoters
Status

⬆️ Gathering votes

Board

πŸ’‘ Feature Requests

Tags

Kubernetes

Date

12 months ago

Subscribe to post

Get notified by email when there are changes.