You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The vcluster docs mention that create permission for the endpoints/restricted resource is required. On APPUiO Cloud we do not grant this permission to our restricted (normal) users. We're wondering why this permission is needed and if there is a way to circumvent this permission. Can you give us some insights on that requirement?
The text was updated successfully, but these errors were encountered:
Hello @tobru
This permission is required because OpenShift has a built-in admission controller(some info about it is in this comment) for the Endpoint resources, which denies the creation of the endpoints pointing into the cluster network or service network CIDR ranges unless this additional permission is given. Vcluster needs to create endpoints pointing to the service CIDR range because it synchronizes Endpoints from a virtual cluster into a host cluster to ensure that the Services will work correctly.
It should be possible to achieve the correct Services functionality without the need for synchronization of all Endpoints, so I created this issue to investigate and implement the change - #281. Once it's done, the Endpoint synchronization would become optional, and we will put the endpoints permissions(including endpoints/restricted) into the "extended permissions" section of our chart(not required by default).
The vcluster docs mention that create permission for the
endpoints/restricted
resource is required. On APPUiO Cloud we do not grant this permission to our restricted (normal) users. We're wondering why this permission is needed and if there is a way to circumvent this permission. Can you give us some insights on that requirement?The text was updated successfully, but these errors were encountered: