EPP: Use Dedicated Service Account #224
Description
Currently, the EPP manifest (ext_proc.yaml) creates clusterrolebindings and clusterroles resources to allow the informers to get/list/watch resources. However, roles and rolebindings resources can be used for inferencemodels, inferencepools, and endpointslices. For example:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: pod-read
namespace: default
rules:
- apiGroups: ["inference.networking.x-k8s.io"]
resources: ["inferencemodels"]
verbs: ["get", "watch", "list"]
- apiGroups: ["inference.networking.x-k8s.io"]
resources: ["inferencepools"]
verbs: ["get", "watch", "list"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]
- apiGroups: ["discovery.k8s.io"]
resources: ["endpointslices"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: pod-read-binding
namespace: default
subjects:
- kind: ServiceAccount
name: default # We should create a service account for EPP
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: pod-readAdditionally, why are the subjectaccessreviews and tokenreviews resources required?