Expected Behavior
As discussed here: #5910 (comment)
We can introduce a service account specifically for our CNI plugin - this would be a nice improvement rather than sharing serviceaccounts between calico/node and the CNI plugin, since they required similar but ultimately different permissions.
Current Behavior
serviceaccount and RBAC resources shared beteween calico/node and CNI plugin.
Possible Solution
- Add new calico-cni serviceaccount, clusterrole, and binding.
- Split out permissions and tidy up calico-node RBAC resources.
- Make sure upgrade works alright (may need a grace period where both get the superset of permissions)
Expected Behavior
As discussed here: #5910 (comment)
We can introduce a service account specifically for our CNI plugin - this would be a nice improvement rather than sharing serviceaccounts between calico/node and the CNI plugin, since they required similar but ultimately different permissions.
Current Behavior
serviceaccount and RBAC resources shared beteween calico/node and CNI plugin.
Possible Solution