karmab
commented
6 years ago i dont think adding rbac rules will do the trick, as the crd is created within the apb
Closed rthallisey closed 6 years ago
karmab
commented
6 years ago i dont think adding rbac rules will do the trick, as the crd is created within the apb
rthallisey
commented
6 years ago @karmab are you saying that the CRD, the API for the VM, doesn't exist until the vm is created so we can't create any rules for it because k8s doesn't what the API we're talking about?
Can we create the CRD here?
karmab
commented
6 years ago actually what i meant is that the apb would be creating a vm object (crd) living in a different namespace than the one it s currently deployed, for me this didnt work, but maybe i m wrong ( and it has to do with the next section ).
but it's worse, because even if the apb can create objects in the destination namespace, we would get errors like the following, though the user does belong to the indicated namespace
[jmayer@master01 ~]$ oc get vm
Error from server (Forbidden): virtualmachines.kubevirt.io is forbidden: User "jmayer" cannot list virtualmachines.kubevirt.io in the namespace "woodstock": User "jmayer" cannot list virtualmachines.kubevirt.io in project "woodstock"
nellyc
commented
6 years ago @rthallisey is this still relevant? or did it become obsolete with the latest changes in kubevirt roles mgmt?
rthallisey
commented
6 years ago @nellyc closed. Aggregated roles were added.
The virtualmachines-apb requires we run as cluster-admin. We should be able to add rbac rules for kubevirt to create for the virtualmachines-apb so that it can run as non cluster-admin.