Support for RBAC and KSA (Kubernetes Service Account)

Now that cloud providers are providing mechanisms to connect cloud security models w/ Kubernetes service accounts, such as AWS IRSA and Google Workload Identity, what do you think of adding RBAC and service account to Dgraph deployments? Like a more restrict lockdown for ratel to wall it off, and the principle of least privileged for alpha/zero?

This can be useful to allow a KSA associated with dgraph alpha to have access to, for example, and S3 or GCS bucket for backups through Minio, so it can have direct read/write auth without hard coding secrets in env vars.

1 Like