Replies: 1 comment 1 reply
-
This is by design, the machine config specifies the highest permissions a namespace may allow, but workload access is controlled by apiVersion: talos.dev/v1alpha1
kind: ServiceAccount
metadata:
name: talos-api-access-talos-secrets
spec:
roles:
- os:reader in the example above even if machine config allows |
Beta Was this translation helpful? Give feedback.
1 reply
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
kubernetesTalosAPIAccess in machinConfig grants access to every workload running in every of the listed namespaces all the listed roles.
It could be made more granular, so it would be possible to define that namespace A has os:Read access, and namespace B has os:admin. Currently if I want to use talosc API access I will grant at the end os:admin to both namespaces even if only one of them requires admin privileges.
Beta Was this translation helpful? Give feedback.
All reactions