-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
build: add rbac for default sa #13917
Conversation
Now we can see the service account.
|
c658d7f
to
1ce172b
Compare
namespace: {{ .Release.Namespace }} # namespace:cluster | ||
rules: | ||
- apiGroups: [""] | ||
resources: ["pod"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is this pod get
role added? I don't expect any new privileges for the default service account.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can remove it
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That was just for testing
rook csv doesnt contain the default service account recently we added default sa for most of the ceph daemons but it didnt have the rbacs, so added the rbacs to it so rook csv can generate default sa Signed-off-by: parth-gr <partharora1010@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If this is only needed for the csv, could we just add this during the csv generation script? I don't see why we need it in the rook repo
at the end it will be in the rook image so doesn't matter, but to keep the flow same, lets discuss |
It will be difficult to do such a hack during CSV generation. I would +1 for this PR. Maybe we can add a comment why do we need it. |
Please sync up with @subhamkrai on related PR #13906 |
for now, we can add this in downstream repo only no need to add this in upstream and ocs-operator or build can use the downstream repo(which it does I guess) |
Opened a PR red-hat-storage#589 hope it is easy to maintain, and from where |
closing as fixed in downstream |
rook csv doesnt contain the default
service account
recently we added default sa for most
of the ceph daemons but it didnt have the
rbacs, so added the rbacs to it
so rook csv can generate default sa
Checklist: