ClusterRole knative-serving-istio seems to not be binding to any RoleBinding/ClusterRoleBindings.
https://github.com/knative-sandbox/net-istio/blob/main/config/200-clusterrole.yaml
net-istio-controller Deployment is using the ServiceAccount controller which is used by the knative-serving Controller. This ServiceAccount already has the following permissions from ClusterRole knative-serving-admin
- apiGroups:
- networking.istio.io
resources:
- virtualservices
- gateways
- destinationrules
verbs:
- get
- list
- create
- update
- delete
- patch
- watch
It would be ideal for net-istio-controller to use its own ServiceAccount with its own permissions and follow the principle of least privilege
ClusterRole
knative-serving-istioseems to not be binding to any RoleBinding/ClusterRoleBindings.https://github.com/knative-sandbox/net-istio/blob/main/config/200-clusterrole.yaml
net-istio-controllerDeployment is using the ServiceAccountcontrollerwhich is used by the knative-serving Controller. This ServiceAccount already has the following permissions from ClusterRoleknative-serving-adminIt would be ideal for net-istio-controller to use its own ServiceAccount with its own permissions and follow the principle of least privilege