-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add aggregationRule for spec compliance #25
Conversation
de681f1
to
b42b9df
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The ClusterRole with the aggregationRule needs to be an independent resource. It's implemented by overwriting the rules on itself.
Thanks for the suggestion. I will explore how to implement this. |
Create a new ClusterRole resource, and connect it to the ServiceAccount with a ClusterRoleBinding. For the most part, you can copy the pattern of the existing ClusterRole/Binding pair. |
Ref. https://github.com/k8s-service-bindings/spec#role-based-access-control-rbac Signed-off-by: Baiju Muthukadan <baiju.m.mail@gmail.com>
b42b9df
to
4acd649
Compare
Makefile
Outdated
@@ -72,7 +72,7 @@ uninstall: manifests ## Uninstall CRDs from the K8s cluster specified in ~/.kube | |||
$(KUSTOMIZE) build config/crd | $(KO) delete -f - | |||
|
|||
deploy: manifests ## Deploy controller to the K8s cluster specified in ~/.kube/config. | |||
$(KUSTOMIZE) build config/default | $(KO) apply -f - | |||
$(KUSTOMIZE) build config/default | $(KO) apply --local -f - |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The --local
flag is required for building the image locally and deploy it. Otherwise, ko expects KO_DOCKER_REPO
variable set with credentials to push the image to that location. Since the deploy
target is only used locally, I think it is safe to set the --local
flag. Before using ko, the configuration was like this:
deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config.
cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
$(KUSTOMIZE) build config/default | kubectl apply -f -
With that configuration, the image was built using the local docker daemon but not pushed. So, the equivalent of that configuration is using ko with --local
flag. Also, we have separate CI job steps to publish OCI images.
P.S: This change could be a separate PR. But I noticed this issue while working on the current PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Adding --local
forces all callers to write to a docker daemon. This same behavior can be achieved by setting KO_DOCKER_REPO=ko.local
, without impacting all users. Likewise kind users can set the car to kind.local
and the build image will be side loaded into kind before the resources are applied to the cluster.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
my bad! Reverted this change.
Signed-off-by: Baiju Muthukadan <baiju.m.mail@gmail.com>
Ref. https://github.com/k8s-service-bindings/spec#role-based-access-control-rbac
Signed-off-by: Baiju Muthukadan baiju.m.mail@gmail.com