cjc7373
commented
1 day ago It seems like rbacEnabled is used to "simulate" user defined rbac resources. @Y-Rookie What's this field designed for?
Open cjc7373 opened 5 days ago
cjc7373
commented
1 day ago It seems like rbacEnabled is used to "simulate" user defined rbac resources. @Y-Rookie What's this field designed for?
zjx20
commented
1 day ago I suggest deleting it if it's useless.
ldming
commented
4 hours ago It seems like rbacEnabled is used to "simulate" user defined rbac resources. @Y-Rookie What's this field designed for?
In earlier versions of KubeBlokcs, it did not support the automatic creation of service accounts (SA) with specific roles for clusters. Therefore, they would be created in kbcli or helm charts. After KB started supporting this feature, in most cases, this parameter has become unnecessary.
But, to my knowledge, currently, Elasticsearch sets this parameter to true, referring to this PR https://github.com/apecloud/kbcli/pull/460.
https://github.com/apecloud/kubeblocks/blob/26e2cf458382b8732d5e2ff54e3ac8b273f02272/controllers/apps/transformer_component_rbac.go#L268-L271 KubeBlocks will not create sa if probe, volume protection, and data protection are disabled at the same time.
IMO, KubeBlocks should create the cluster SA, and delete the rbacEnabled in helm chart and kbcli.
also add patroni's policy rules