Add aggregationRule for spec compliance #25
Conversation
baijum
force-pushed
the
aggregation-rule
branch
2 times, most recently
from
de681f1
to
b42b9df
Compare
Thanks for the suggestion. I will explore how to implement this. |
Create a new ClusterRole resource, and connect it to the ServiceAccount with a ClusterRoleBinding. For the most part, you can copy the pattern of the existing ClusterRole/Binding pair. |
Ref. https://github.com/k8s-service-bindings/spec#role-based-access-control-rbac Signed-off-by: Baiju Muthukadan <baiju.m.mail@gmail.com>
baijum
force-pushed
the
aggregation-rule
branch
from
b42b9df
to
4acd649
Compare
Makefile
Outdated
| @@ -72,7 +72,7 @@ uninstall: manifests ## Uninstall CRDs from the K8s cluster specified in ~/.kube | |||
| $(KUSTOMIZE) build config/crd | $(KO) delete -f - | |||
|
|
|||
| deploy: manifests ## Deploy controller to the K8s cluster specified in ~/.kube/config. | |||
| $(KUSTOMIZE) build config/default | $(KO) apply -f - | |||
| $(KUSTOMIZE) build config/default | $(KO) apply --local -f - | |||
There was a problem hiding this comment.
The --local flag is required for building the image locally and deploy it. Otherwise, ko expects KO_DOCKER_REPO variable set with credentials to push the image to that location. Since the deploy target is only used locally, I think it is safe to set the --local flag. Before using ko, the configuration was like this:
deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config.
cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
$(KUSTOMIZE) build config/default | kubectl apply -f -
With that configuration, the image was built using the local docker daemon but not pushed. So, the equivalent of that configuration is using ko with --local flag. Also, we have separate CI job steps to publish OCI images.
P.S: This change could be a separate PR. But I noticed this issue while working on the current PR.
There was a problem hiding this comment.
Adding --local forces all callers to write to a docker daemon. This same behavior can be achieved by setting KO_DOCKER_REPO=ko.local, without impacting all users. Likewise kind users can set the car to kind.local and the build image will be side loaded into kind before the resources are applied to the cluster.
There was a problem hiding this comment.
my bad! Reverted this change.
Signed-off-by: Baiju Muthukadan <baiju.m.mail@gmail.com>
Ref. https://github.com/k8s-service-bindings/spec#role-based-access-control-rbac
Signed-off-by: Baiju Muthukadan baiju.m.mail@gmail.com