Support for RBAC and KSA (Kubernetes Service Account)

joaquin · July 20, 2020, 6:48am

Now that cloud providers are providing mechanisms to connect cloud security models w/ Kubernetes service accounts, such as AWS IRSA and Google Workload Identity, what do you think of adding RBAC and service account to Dgraph deployments? Like a more restrict lockdown for ratel to wall it off, and the principle of least privileged for alpha/zero?

This can be useful to allow a KSA associated with dgraph alpha to have access to, for example, and S3 or GCS bucket for backups through Minio, so it can have direct read/write auth without hard coding secrets in env vars.

AWS IRSA Articles (KSA↔IAM Role)
- Introducing fine-grained IAM roles for service accounts | AWS Open Source Blog
- IAM roles for service accounts - Amazon EKS
Google Workload Identity (KSA↔GSA)
- Google Cloud Blog - News, Features and Announcements
- Using Workload Identity | Kubernetes Engine Documentation
Azure (KSA↔AAD)
- Use Azure AD in Azure Kubernetes Service - Azure Kubernetes Service | Microsoft Docs
- Integrate Azure Active Directory with Azure Kubernetes Service (legacy) - Azure Kubernetes Service | Microsoft Docs

Topic		Replies	Views
Problem with Dgraph helm chart serviceAccount creation Dgraph kind:bug	13	463	September 18, 2023
Enterprise features in Dgraph Helm Chart Dgraph kind:enhancement , status:accepted , area:operations , community	8	1050	September 1, 2020
Dgraph on EKS Connectivity Dgraph	1	353	August 4, 2021
Dgraph Helm Chart dgraph-0.0.11 released Announce charts	0	662	October 1, 2020
Using Kubernetes - Deploy Documentation	1	1327	August 28, 2020

Support for RBAC and KSA (Kubernetes Service Account)

Related Topics