-
Feature Request
-
Resolution: Unresolved
-
Major
-
None
-
openshift-4.14.z
-
None
-
False
-
None
-
False
-
Not Selected
-
-
-
-
-
1. Proposed title of this feature request
2. What is the nature and description of the request?
K8 community does not control how the access is provided to Custom resources (CR) (such as cert-manager certificate, multus NAD etc).
It is CaaS designer decision (in this case RedHat) to add such CR operations to clusterrole.
As we mentioned already below comment 'oc get clusterrole admin -o yaml' has permission for a non-admin user to get/list/watch multus NAD.
why RedHat restricting non-admin user (a namespace user) for multus NAD creation.
3. Why does the customer need this? (List the business requirements here)
from Business case point of view, a CNF deployment should be possible using namespace user. all the resource required by CNF should be created by that non-admin user only.
a CNF will have multus NAD helm charts, normal micro-services helm chart.
one cannot split the CNF helm charts in two: one set of helm charts needs to be deployed by admin privileged and other set by namespace user.
Creating a custom role for each namespace user is not operability friendly.
4. List any affected packages or components.
multus net-attach-def