New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove "get" verb from "events" resource of RBAC for provisioner sidecar #245
Remove "get" verb from "events" resource of RBAC for provisioner sidecar #245
Conversation
Let's keep `assets/rbac/provisioner_role.yaml` in sync with upstream (https://github.com/openshift/csi-external-provisioner/blob/master/deploy/kubernetes/rbac.yaml)
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: mpatlasov The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
I think it is unnecessary to remove It also doesn't buys much in terms of reducing permission vector of the sidecar/operators. |
Yes, I fully agree! I opened this PR as a follow-up for Jan's comment that it would be great to keep our openshift perm list in-sync with upstream. Upstream doesn't have IMO, we have 3 options:
|
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@jsafrane , can you please read my comment above (#245 (comment)) and reply something. (I tend to close this PR because it's rather minor topic and nobody is interested in it, but if you think it's worthy to follow-up, I can rebase and discuss it further) |
@mpatlasov: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
I think we should use upstream RBAC definitions where possible. If we're going to use custom permissions, then we need to review all code an updated driver to see if we need to modify them. If we use the upstream ones, then it's task of the upstream to keep them up to date and we can blindly copy them. |
Let's keep `manifests/09_sidecar-main_provisioner_role.yaml` in sync with upstream (https://github.com/openshift/csi-external-provisioner/blob/master/deploy/kubernetes/rbac.yaml) See discussion at openshift/aws-ebs-csi-driver-operator#245.
The file |
Let's keep
assets/rbac/provisioner_role.yaml
in sync with upstream (https://github.com/openshift/csi-external-provisioner/blob/master/deploy/kubernetes/rbac.yaml)