Add namespace-scoped RBAC manifests for when `prefect-operator` only watches its own namespace

PrefectHQ / prefect-operator

A Kubernetes operator for managing Prefect servers and work pools

10 stars 0 forks source link

Add namespace-scoped RBAC manifests for when `prefect-operator` only watches its own namespace #72

Open mitchnielsen opened 2 months ago

mitchnielsen commented 2 months ago

Summary

Context: https://github.com/PrefectHQ/prefect-operator/pull/61#issuecomment-2327264950

Wanted to throw this up as a Draft for later in case this ends up making sense for this Operator. As a note, if we pursue this, we'll want to update RBAC to match the new permission model (i.e. change ClusterRole to Role, etc).

Acceptance criteria

[ ] When Operator only watches its own namespace, scope down the RBAC so there are no cluster-scoped resources (ClusterRole, etc.)

chrisguidry commented 1 month ago

I think this isn't about removing the cluster-scoped RBACs, it's about generating a separate set of manifests for cluster-scoped versus namespaced

mitchnielsen commented 1 month ago

Agree with the rephrasing, and this should be easier with Helm templates now that we have a chart.