New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(rbac) : add editor and viewer role for crds #1165
feat(rbac) : add editor and viewer role for crds #1165
Conversation
71784ae
to
a7e3f0b
Compare
/assign @mengqiy |
Hi @mengqiy, Really thank you. I was looking for exactly this kind of review. I will be working on to address it. |
a7e3f0b
to
0bf40ab
Compare
12994b3
to
8bd9b1f
Compare
8bf7d1a
to
4472e50
Compare
4472e50
to
a92ce62
Compare
a92ce62
to
b5523e2
Compare
Travis is failing. Please fix. |
18db06b
to
3e6ff53
Compare
3e6ff53
to
081a114
Compare
@camilamacedo86: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Hi @mengqiy, Now, the test is fixed and all is passing. Please, feel free to check this one. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/approve
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: camilamacedo86, mengqiy The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
- crew.testproject.org | ||
resources: | ||
- firstmates/status | ||
verbs: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was comparing this with the build-in cluster role edit
which is you can see with kubectl get clusterroles edit -o yaml
. The edit role gives read and write to most of the built-in kubernetes resources. I noted that it does not give patch or update permissions on any */status
resources. Is it by design that these generated roles are different?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If */status
should be included depends on who will be granted these permission.
For controllers, permissions to edit */status
is necessary.
For human, they should never edit */status
.
Reading #886 again, it seems that means human users.
I guess we can still revise it and make it clear that it is for end users.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was comparing this with the build-in cluster role edit which is you can see with kubectl get clusterroles edit -o yaml.
The roles done here are to give permissions to the specific resource.
I noted that it does not give patch or update permissions on any */status resources.
I understand that the idea is to allow admin using this role to create a group of permissions. So, the status is required for the operator to update the CR's and users would also would like to check the status. Am I right?
I am not sure if I understood what should be done in another way here. May the question in order to clarify could be what behaviour are you facing or should not be facing when these roles are applied?
Description
Motivation
Closes: #886