[feature request] Make onboarding of clusters with restricted permissions possible #1678
Description
Is your feature request related to a problem? Please describe.
I want to onboard managed clusters with service-accounts / kubeconfigs that are strictly limited to deploy resources to defined namespaces while not allowing to list / create / patch other namespaces.
Currently this is not possible because the addon-controller tries to patch the namespace of namespaced resources in order to make sure that the namespace exists. Resulting in the following error:
status:
connectionFailures: 158
connectionStatus: Down
failureMessage: 'namespaces "kube-system" is forbidden: User "system:serviceaccount:garden-dev:sveltos-robot"
cannot get resource "namespaces" in API group "" in the namespace "kube-system"'
Describe the solution you'd like
It would like to be able to configure the behaviour of the addon controller in a manner that I can choose if sveltos tries to create a namespace if it does not exist or if it is up to me to create the namespace but therefore use more restrictive RBAC rules.
I do not know much about the code structure but config could look like this
apiVersion: config.projectsveltos.io/v1beta1
kind: ClusterProfile
...
spec:
policyRefs:
- deploymentType: Remote
kind: ConfigMap
name: postgres-cluster
optional: false
tier: 100
createNamespace: false
If not already implemented this could also be useful for HelmCharts!
Additional context
Slack conversation: https://projectsveltos.slack.com/archives/C046P825BBL/p1774960505895279