Requirement: Prism must run on cluster that have RBAC enabled. Therefore ...
The Application Controller requires read/write access to all Kubernetes resources across all namespaces. There, it will run with a default service account and a cluster role binding, binding it to the cluster-admin cluster role, which grants full access to all resources in the cluster.
The following cluster role binding should achieve the desired result:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app: application-controller
name: application-controller
namespace: prism
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: default
namespace: prism
Resources:
- ICP Security Roadmap - See especially
- CAM IM Onboarding
- CAM Login Flow
- CAM Onboarding Flow
From Chunlong:
ICp authentication service allows boarding of any applications.
Security Architecture:
