Doesn't Vagrant spin up full VMs? Incus/LXD/LXC is about system containers. So like Docker, but with a full distro including init system running inside the container. They are much faster to spin up and have the best resource sharing possible.
Actual computers? People don't have those any more. Not even laptops. They have smartphones and they may have tablets.
I'm over-generalizing of course, but that's the vibe I get. It's because many, both older and younger, entirely skipped the whole personal computing thing.
Okay. Then I'll lay it out: there is no inheritance at all. An identity does not inherit roles and it certainly does not inherit other identities. You are misinterpreting something you saw. However, without further details, a more targeted answer is not possible. I did not want to write a blanket statement like that because it is very condescending and hostile. Sorry about that.
You may have seen the identity's IAM page. It does not show roles assigned to the identity.
> Lower levels inherit role permissions from higher levels...When you assign a role at a parent scope, those permissions are inherited to the child scopes
so i guess this what you said is confidently wrong lmao like you couldn't even be more wrong:
> Then I'll lay it out: there is no inheritance at all. An identity does not inherit roles and it certainly does not inherit other identities.
i misspoke calling it "identity inheritance" and not "scope inheritance" tho my first comment said "role inheritance" but the fact that there is any sort of inheritance involved at all with my rbac roles is very poor design decision. and the fact that i can misunderstand this and spend hours of company time trying to understand it, and still failing....when this should be an intuitive, 101-level thing for cloud design. but nah i gotta spend time going through like ten different docs piecing together knowledge and pentest my own work and also argue with some guy on the internet who called himself adept at azure and doesn't know this either (which further proves my point!)
The so-called "lower levels" inherit role permissions (or role assignments, if you will), which is something else entirely. Furthermore I'd say this is both expected and necessary to effectively administer permissions in organizations. Assigning permissions (via roles or otherwise) on every single object is not feasible. Inheritance is required. It works similarly to NTFS ACLs.
What I wrote is, in fact, accurate. An identity cannot inherit a role. It is simply impossible. What would it inherit from? The identity does not actually exist where it appears in the control plane (ie. in a resource group). It exists in Entra ID (formerly Azure AD).
There is but one possibility for a newly created identity to actually have roles assignments: Automation via policy. Now that I think about it, there might be another: assigning roles to special groups like "Authenticated users".
ok so now it's a semantic debate. love that... i hope this knowledge that i shared is useful to you in the future, so you can avoid dumb ass RBAC inheritance footguns
I think this confusion is exactly the problem.
“Roles inherit” is one of those Azure things that looks simple in docs but ends up creating hidden privilege sprawl in real environments. I’ve seen teams argue for hours about what gets inherited, what doesn’t, and who has access to what, just because a single assignment at the wrong scope can fan out across everything.
we use k8s + otel filelog receiver. in this case you don't have to connect to the clickhouse instance to collect what it's writing to stdout/stderr, just tail /var/log/pods/*/*/*.log.
reply