One pager for a namespace-restricted option#6419
Conversation
Signed-off-by: François Rigaut <francois.rigaut@orange.com>
| ``` | ||
|
|
||
| Assuming crossplane has admin rights on all resources in its own namespace (or at | ||
| least rights that are currently defined in the ClusterRole, except in a Role instead) |
There was a problem hiding this comment.
The RBAC manager also has rights to make ClusterRole resources:
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterroles
verbs:
- bind
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterrolebindings
verbs:
- "*"
- apiGroups:
- ""
- coordination.k8s.io
resources:
- configmaps
- leases
verbs:
- get
- list
- create
- update
- patch
- watch
- delete
The proposal should look at addressing how the RBAC manager should change? One option could be strict mode where the tooling installs Aggregated RBAC roles into the cluster while installing providers/XRDs?
There was a problem hiding this comment.
Ah, I see:
1. Disable the RBAC manager pod, since the objective is to manage permissions
specific to an ecosystem (i.e. outside of Crossplane).
|
Crossplane does not currently have enough maintainers to address every issue and pull request. This pull request has been automatically marked as |
|
/fresh |
negz
left a comment
There was a problem hiding this comment.
TIL I never approved and merged this. Sorry! I'm approving given you've already been chipping away at this work. 😄
|
Closed and reopened to trigger CI. |
Description of your changes
This one pager proposes a new
--namespace-restrictedoption for Crossplane in order for it to work in evironments where rights on cluster-scoped resources are limited.Related issue : #6348
I have:
earthly +reviewableto ensure this PR is ready for review.[ ] Added or updated unit tests.[ ] Added or updated e2e tests.[ ] Linked a PR or a [docs tracking issue] to [document this change].[ ] Addedbackport release-x.ylabels to auto-backport this PR.[ ] Followed the [API promotion workflow] if this PR introduces, removes, or promotes an API.