Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-2043

CSV clusterPermissions to support RBAC aggregationRules

XMLWordPrintable

    • None
    • Product / Portfolio Work
    • None
    • False
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Kubernetes has a concept for RBAC aggregation rules:

      https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles

       

      which allows one component to grant permissions to other component.

      In order to that we need to define a ClusterRole and a ClusterRoleBinding that will be associated with the service account of the operator.
      To do that, we need the namespace of the service account, see example here:

      https://github.com/redhat-openshift-ecosystem/community-operators-prod/blob/main/operators/node-healthcheck-operator/0.1.0/manifests/node-healthcheck-operator-manager-aggregator-rolebinding_rbac.authorization.k8s.io_v1_clusterrolebinding.yaml#L13

       

      We can't know the namespace that the operator will be deployed in.

      It would be good if the CSV will allow us to use aggregation rules.

      More info and context:

      https://coreos.slack.com/archives/C3VS0LV41/p1627378253118400
       

              atelang@redhat.com Anjali Telang
              nyehia Nir Yehia (Inactive)
              None
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved:
                None
                None