Ship CSI sidecar ClusterRoles by CSO (CVO?) and let CSI driver operators just create ClusterRoleBindings to them.
Why is this important? (mandatory)
Currently, each CSI driver operator deploys its own copy of ClusterRoles + ClusterRoleBindings. This is error prone when a sidecar needs a new permissions, we must update all CSI driver operators. It would be better to have one canonical set of ClusterRoles, created by CSO (CVO?) and just bind to them in the operators.
- As cluster admin, when I create a cluster on a supported cloud, I get cluster with CSI driver(s) pre-installed and ready to use.
I.e. installer + CVO + CSO install CSI driver with the right RBACs. We must not create any regression there.
- As OCP storage maintainer, I want to add new RBAC permissions to CSI sidecars only on a single place, so I don't need to copy RBACs to all CSI driver operators.
Dependencies (internal and external) (mandatory)
Contributing Teams(and contacts) (mandatory)
Documentation- We expect no docs, this is not user visible change
PX- We expect no PX, this is not user visible change
Acceptance Criteria (optional)
Provide some (testable) examples of how we will know if we have achieved the epic goal.
Drawbacks or Risk (optional)
Reasons we should consider NOT doing this such as: limited audience for the feature, feature will be superseded by other work that is planned, resulting feature will introduce substantial administrative complexity or user confusion, etc.
Done - Checklist (mandatory)
The following points apply to all epics and are what the OpenShift team believes are the minimum set of criteria that epics should meet for us to consider them potentially shippable. We request that epic owners modify this list to reflect the work to be completed in order to produce something that is potentially shippable.
- CI Testing - Basic e2e automationTests are merged and completing successfully
- Documentation - Content development is complete.
- QE - Test scenarios are written and executed successfully.
- Technical Enablement - Slides are complete (if requested by PLM)
- Engineering Stories Merged
- All associated work items with the Epic are closed
- Epic status should be “Release Pending”