Create permission for endpoints/restricted on OpenShift

[tobru]

The vcluster docs mention that create permission for the endpoints/restricted resource is required. On APPUiO Cloud we do not grant this permission to our restricted (normal) users. We're wondering why this permission is needed and if there is a way to circumvent this permission. Can you give us some insights on that requirement?

[matskiv]

Hello @tobru
This permission is required because OpenShift has a built-in admission controller(some info about it is in this comment) for the Endpoint resources, which denies the creation of the endpoints pointing into the cluster network or service network CIDR ranges unless this additional permission is given. Vcluster needs to create endpoints pointing to the service CIDR range because it synchronizes Endpoints from a virtual cluster into a host cluster to ensure that the Services will work correctly.

It should be possible to achieve the correct Services functionality without the need for synchronization of all Endpoints, so I created this issue to investigate and implement the change - #281. Once it's done, the Endpoint synchronization would become optional, and we will put the endpoints permissions(including endpoints/restricted) into the "extended permissions" section of our chart(not required by default).

[tobru]

Thank you very much @matskiv for the explanation, that helps to understand it. I think we can close this issue, all is tracked in #281 👍

[matskiv]

Cool, np. Okay, I'll close this one :)