When we create a binding, we set up a dedicated admin ServiceAccount for that namespace. We don't give out cluster-admin permissions. However, the operators need to create CRDs, which can only be done at the cluster-admin level. So now we install the operators as part of the base k8s deployment.
This also simplifies use of the Solr brokerpak... One can just create solr-cloud services without worrying about whether someone has already created a solr-operator in the underlying k8s.
When we create a binding, we set up a dedicated admin ServiceAccount for that namespace. We don't give out cluster-admin permissions. However, the operators need to create CRDs, which can only be done at the cluster-admin level. So now we install the operators as part of the base k8s deployment.
This also simplifies use of the Solr brokerpak... One can just create
solr-cloudservices without worrying about whether someone has already created asolr-operatorin the underlying k8s.