-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
jsonnet/prometheus-operator: restrict api extension RBAC rules #2974
Conversation
hmm, something seems to be off with the new policy, investigating 🤔 |
ok, i need to investigate further, the e2e tests imply that with this change prometheus-operator does not have permissions to create CRDs:
|
I think create cannot be bound to a resourceName. And I don’t think cluster monitoring operator (and prometheus operator) needs anything other than get/update on specific ones and generic create. I don’t think it needs list, delete, delete collection or watch at all. |
thanks @brancz. I should have studied the documentation more intensely as per https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources. Indeed it states that |
2d8e0ee
to
510737e
Compare
Currently, prometheus-operator has access to all verbs to all custom resources. This fixes it by limiting it to custom resources under its jurisdiction.
510737e
to
13f6f9f
Compare
ok, i was missing the cc @coreos/team-monitoring ptal |
/cc @coreos/team-monitoring