Snowplow Collector #16
Conversation
jbeemster
force-pushed
the
feat/snowplow-collector
branch
from
96d5281
to
ef8b354
Compare
|
|
||
| volumes: | ||
| - configMap: | ||
| defaultMode: 420 |
There was a problem hiding this comment.
why this defaultMode? I understand giving read permissions to user, but write permissions to group? 🤔
| resources: | ||
| limits: | ||
| memory: 2018Mi | ||
| requests: | ||
| cpu: 400m |
There was a problem hiding this comment.
nitpick: It's great to see some guidance on resource values, but best practice is that this should not be hardcoded. Some people might have very low-power clusters or collectors that are handling a very large amount of data and need more resources.
| "sqs:SendMessage", | ||
| "sqs:ListQueues" | ||
| ], | ||
| "Resource": "*", |
There was a problem hiding this comment.
I would suggest mentioning that best security policy is to restrict the resource down to just what you need. For example, if your kinesis streams were called good and bad and your AWS account id was 333221111111, then you would do:
"arn:aws:kinesis:us-east-1:333221111111:stream/bad",
"arn:aws:kinesis:us-east-1:333221111111:stream/good"
There was a problem hiding this comment.
Yeah thats a fair point - I have done this in the OS Terraform Modules - will replicate it here.
| "kinesis:DescribeStream", | ||
| "kinesis:DescribeStreamSummary", | ||
| "kinesis:List*", | ||
| "kinesis:Put*", | ||
| "sqs:GetQueueUrl", | ||
| "sqs:SendMessage", | ||
| "sqs:ListQueues" |
There was a problem hiding this comment.
I like the restricted permissions here.
This chart supports deploying the collector locally and to both AWS & GCP via TargetGroup bindings & NEG bindings. It also support custom IAM role passthrough for access to cloud systems.
Further to this to address AkkaHTTP TLS Actor bug it allows for the seamless deployment of an NGINX sidecar deployment with optional TLS support by passing in the certificate parts (and therefore binding a secondary port to the service).
Like with the Iglu Server no Ingress rules are defined as we are expecting to use external load balancers in production - nothing to stop someone from adding that however!