-
Notifications
You must be signed in to change notification settings - Fork 60
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cluster permissions #438
Comments
Hi @blezoray! I added a PR to highlight this changes in installation docs: https://github.com/kube-green/kube-green.github.io/pull/65/files. With version 0.6.0, it will be possible to manage all resources by writing specific patch rules. In the Helm chart, a value will be added to configure the RBAC settings as desired, with the default set to manage the default resources. Another option is to modify it to grant kube-green permissions restricted to the default managed manifests, and update the configuration if more resources need to be added. Before the release of the stable version, is something to decide. For sure, the safest solution would be to give only the permission to manage the default supported resources. |
Thanks for your answer. Why not limiting the clusterrole to |
Yes, an example usecase is if you need to modify some CR which manage some runtime resources, defined by a CRD. For example, in the test there is a use case in which is changed a Keda resource to manage the autoscaling rules. We can use the aggregated rules of roles to extends the permissions https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles. In this way, by default the operator define only the ClusterRole with the base managed resources, and it will be possible to extends creating new ClusterRole manually. This could address your use case? |
Thanks @davidebianchi, aggregated rules would be a great solution. |
Hello,
I was looking to the permissions that are requested at cluster level when you run kube-green operator and, if I compare between v0.5.2 and the current version, you can see that it request all verbs to all resources and apigroups:
https://github.com/kube-green/kube-green/blob/main/bundle/manifests/kube-green.clusterserviceversion.yaml#L148-L161
And in v0.5.2, you already request all verbs to secrets:
https://github.com/kube-green/kube-green/blob/v0.5.2/bundle/manifests/kube-green.clusterserviceversion.yaml#L154-L165
Could you explain why it needs so huge permissions ?
Rgds, Bruno.
The text was updated successfully, but these errors were encountered: