-
Notifications
You must be signed in to change notification settings - Fork 959
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
limit perms for crds #1044
Comments
I'm a bit confused. It looks like you want something like our user-facing cluster roles. Why disable CRD validation? That's to check if submitted manifest contain errors. The last error message has nothing to do with this. It just means the |
@FxKu Thanks for clarification on enable_crd_validation .
Yes, we must restrict it to "get" verb only. The serviceAccounts we use (including pg opr serviceAccount) are not allowed to create/update crds. (crd deploy is done by admins, in flow before). |
I also would like to prevent the operator from managing the CRDs, we want to the limit the operator ClusterRole permissions and we will deploy multiple postgres-operators so it's better that only admins have control on the CRDs. Now, the operators log Also I would like to know if CRDs change a lot and if backward compatibility is always ensured (I think it's the case), basically I would like to know if using multiple operators is a good idea, I don't want all my pg clusters to rely on the same operators. Thanks. |
@FxKu : We are facing the same issue in our cluster ? how can we avoid it ? |
Request to access crds is usually a problem for non-admin users.
If we want to drastically limit to crds, what are the smallest list of perms required?
FYI, we have already set:
confirmed by:
But we get:
Is this the minimum requried perm?
resources:
verbs:
PS: related to PR: https://github.com/zalando/postgres-operator/pull/599/files
The text was updated successfully, but these errors were encountered: