Epic: descope the Submariner operator #75
Comments
|
This doesn’t have a corresponding EP yet; I don’t think it’s worth going into detail until #105 is implemented, since that should address a number of the issues involved in descoping the operator (or help determine whether it is actually possible to do so). I will revisit this once #105 is done, and go through the exception process if the epic remains relevant. |
|
Talking about this on the PR scrub, it seems it has two serial dependencies and would be tough to finish this release. Moving back to the backlog. |
@skitt - Do you have plans to add a EP for this? |
|
This PR/issue depends on:
|
|
The key difference between this and the RBAC work is that once we make the RBAC changes, we also need to decide if we need to configure the operator to be able to watch same-namespace, other-namespace, or all-namespaces. |
|
This enhancement has been covered by the recent work to reduce RBAC permissions for all the components. |
Epic Description
The Submariner operator currently has wide-ranging privileges. It doesn’t need to be able to access anything outside the namespaces it manages, so this should be reduced. See https://hackmd.io/wVfLKpxtSN-P0n07Kx4J8Q for background.
Depends on submariner-io/submariner-operator#1105
RBAC generation will affect this, we should wait to have a better idea of that before starting work on designing this.
Acceptance Criteria
The operator is de-scoped, ideally with no ClusterRole, at minimum with justifications for every permission in its ClusterRole.
See also submariner-io/submariner-operator#1105 which overlaps with this; auto-generation should be used if the SDK supports it for namespace-scoped Roles.
Definition of Done (Checklist)
Work Items
The text was updated successfully, but these errors were encountered: