Allow use of existing ServiceAccount for cluster instancesΒ #1994
Description
Is your feature request related to a problem? Please describe.
I'd like to minimize the permissions granted to this operator in line with the principle of least access. Currently, the operator will always create a ServiceAccount, Role, and RoleBinding for each RabbitmqCluster resource. Thus, the operator requires permissions to create those three resource types in target namespaces, which (theoretically) enables privilege escalation.
Describe the solution you'd like
There could be an option to override the default behavior for a cluster, maybe like this:
apiVersion: rabbitmq.com/v1beta1
kind: RabbitmqCluster
metadata:
name: example
spec:
serviceAccount:
# default: true
create: false
# default: ~ (and apply the existing automatic naming logic)
name: existing-service-account
rbac:
# default: true
create: falseDescribe alternatives you've considered
It's already possible to use an existing ServiceAccount for the cluster by overriding the StatefulSet spec in the RabbitmqCluster manifest. However, the operator will still create an additional (unused) ServiceAccount and the associated RBAC resources, so it still requires the permissions to do that.