Support Service Account Separation in CDAP

Description

Currently, in CDAP, the [KubeMasterEnvironment](https://github.com/cdapio/cdap/blob/4e66764eba989e7125c1fe49a899141be0782099/cdap-kubernetes/src/main/java/io/cdap/cdap/master/environment/k8s/KubeMasterEnvironment.java) the [KubeTwillRunnerService] directly clones its own pod configuration in order to initialize the (https://github.com/cdapio/cdap/blob/4e66764eba989e7125c1fe49a899141be0782099/cdap-kubernetes/src/main/java/io/cdap/cdap/k8s/runtime/KubeTwillRunnerService.java). This means that the worker pods which execute user which are spun up by CDAP will have the same permission levels as their pod managers (i.e. preview manager and app-fabric).

We would like to ensure that pods executing user code do so with reduced privileges.

Release Notes

Added support for running worker pods using different Kubernetes service accounts.

Activity

Show:
Fixed
Pinned fields
Click on the next to a field label to start pinning.

Details

Assignee

Dennis Li

Reporter

Affects versions

Fix versions

Priority

Created May 20, 2021 at 8:18 PM
Updated June 28, 2021 at 9:00 PM
Resolved June 28, 2021 at 9:00 PM