search

apache / camel-k

Apache Camel K is a lightweight integration platform, born on Kubernetes, with serverless superpowers
https://camel.apache.org/camel-k
Apache License 2.0
863 stars 344 forks source link

Cluster role global false still deploying cluster role #5656

Closed jarredmcginty closed 2 months ago

jarredmcginty commented 3 months ago

What happened?

Hi there the problem I am experiencing an issue when I try to deploy multiple version of the camel-k operator on my cluster. To do this I need to ensure the cluster role for the given operator is not set to global - this appears be a configurable property in the helm chart .Values.operator.global. However, when I set this to helm property to "false" the cluster role is still deployed.

Steps to reproduce

Screenshot 2024-06-18 at 11 15 44

Camel K version

2.3.0

gansheer commented 3 months ago

Hi @jarredmcginty ! Just to confirm: is this about the camel-k:edit clusterrole ? It is the only one I can see created.

jarredmcginty commented 3 months ago

Hi @jarredmcginty ! Just to confirm: is this about the camel-k:edit clusterrole ? It is the only one I can see created.

Hi @gansheer yes that is correct. The situation I am experiencing is that I had multiple environments on a single cluster, each with the a deployment of the camel-k:edit cluster role. Due to multiple deployments of this cluster role there is a conflict from a global perspective. The way I understand the helm chart is that setting the operator.global to "false" should have resolved this issue.

If I am misunderstanding the helm chart please let me know.

gansheer commented 3 months ago

Having some global kubernetes objects are expected. The Camel K operator comes with Custom Resource Definitions (CRD), which are cluster-wide objects. So in a way we can't avoid having some Kubernetes objects installed on a global perspective, ie cluster-wide. To access these CRDs we create a cluster role. Even if you install multiple version of the operator, you will have one version of the CRDs on the cluster.

That being said, compared to other installation procedures this clusterrole is a clearly more permissive in its definition. In the default configuration files that https://github.com/apache/camel-k/tree/main/pkg/resources/config/rbac we mainly install an applicative cluster role for access to the CRDs (operator-cluster-role-custom-resource-definitions.yaml). You can also find the additional camel-k-edit which is a role to add the CR permissions to "admin" and "edit" roles (user-cluster-role.yaml). There are also some additional feature specific cluster roles (knative and registry).

I think it might be better to have RBACs similar to default configuration files.

jarredmcginty commented 3 months ago

I think my question may be better phased in terms of understanding of the helm chart.

When the value in the helm chart .Values.operator.global is set to "true", we should deploy a cluster role. But if this value is set to "false" it should not deploy this cluster role as described in the helm chart below.

Screenshot 2024-06-19 at 14 23 50

However, when the value is set to "false" the cluster role is still deployed