-
Notifications
You must be signed in to change notification settings - Fork 147
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Check RBAC permissions and add docs #150
Comments
Just a note; it's quite likely that using operator with |
Are there any news yet? I'm looking for a way to deploy the operator + all tests in a single namespace with no access rights outside this namespace. |
@realHarter, this issue is more about validation and documentation rather than any specific changes. But it's quite possible to deploy k6-operator and the tests in the same namespace as it is. Have you encountered an issue while trying to do that? |
@yorugac I haven't tested alot yet. But so far it's working for me after rewriting all ClusterRoles to Roles, declaring the crds as namespaced and setting the |
Thanks for details. A guide for such a setup would likely be nice 👍 |
@yorugac when you say
Were you expecting this to be done by changing configuration as @realHarter did or is there a cleaner way with FWIW, we are provided namespaces which we have admin access to but we cannot access many cluster wide resources. This cluster level access, such as being able to create a namespace and create cluster roles, seems to be expected with the normal installation methods. Is that correct? If yes, then it seems like the pattern used to rewrite this all into a single namespace would be the path forward. Some chance I may be able to work on this and submit a PR for this. |
Hello @realHarter, can you provide me the manifest file with this changes please ? thank you |
I can confirm @realHarter's approach. Well I didn't have to adapt the CRDs because in the latest helm release they already have the scope "Namespaced". The only things that needed to be changed was to change the clusterRole to role (just change Kind from ClusterRole to Role and add the namespace (and also adapt the connected clusterBinding -> same approach):
Setting the env variable was also necessary. I added that to the deployment.yaml so that it is set automatically for each env the k6-operator is deployed to. Just under "env" on the "manager" container add this:
From my pov the WATCH_NAMESPACE env variable and its function could be documented better. Maybe worth a small section in the readme? :) @yorugac |
@FloGro3, thanks for sharing the details here 🙌
Indeed; we obviously forgot to document it 😄 Added it now, thanks! By the way, all available options for Helm can be found over here: |
This seems dangerous. Can documentation be provided to show how these permissions may be more restricted?
The text was updated successfully, but these errors were encountered: