Support Service Account Separation in CDAP
Description
Release Notes
Added support for running worker pods using different Kubernetes service accounts.
Activity
Show:
Dennis Li
changed the StatusJune 28, 2021 at 9:00 PMOpen
Resolved
Dennis Li
updated the Release NotesJune 28, 2021 at 9:00 PMNone
Added support for running worker pods using different Kubernetes service accounts.
Dennis Li
updated the ResolutionJune 28, 2021 at 9:00 PMNone
Fixed
Dennis Li
created the IssueMay 20, 2021 at 8:18 PM
Currently, in CDAP, the [KubeMasterEnvironment](https://github.com/cdapio/cdap/blob/4e66764eba989e7125c1fe49a899141be0782099/cdap-kubernetes/src/main/java/io/cdap/cdap/master/environment/k8s/KubeMasterEnvironment.java) the [KubeTwillRunnerService] directly clones its own pod configuration in order to initialize the (https://github.com/cdapio/cdap/blob/4e66764eba989e7125c1fe49a899141be0782099/cdap-kubernetes/src/main/java/io/cdap/cdap/k8s/runtime/KubeTwillRunnerService.java). This means that the worker pods which execute user which are spun up by CDAP will have the same permission levels as their pod managers (i.e. preview manager and app-fabric).
We would like to ensure that pods executing user code do so with reduced privileges.