Open mudler opened 4 years ago
mudler
commented
4 years ago Also, see https://github.com/SUSE/eirinix/issues/22 as it is related to the issue. EiriniX should also provide a way to define certificates (maybe as a CLI option) from paths, this allows to lower even more permissions required at runtime by just mounting the certs as secret. I would block this issue until we have such feature in EiriniX, as the solution sounds more solid
viovanov
commented
4 years ago Please look and see if this can be done in an init container.
viovanov
commented
4 years ago @mudler is this still blocked?
mudler
commented
4 years ago @mudler is this still blocked?
yep, needs https://github.com/cloudfoundry-incubator/eirinix/issues/22 worked out first
Is your feature request related to a problem? Please describe. It lowers the permissions required to run the extension containers. If we split registration into a separate job, the extension doesn't need to interact with kubernetes resources
Describe the solution you'd like We can have jobs which have the permission to create MutatingWebhook, the extension doesn't need that privilege.
Describe alternatives you've considered N/A
Additional context https://github.com/cloudfoundry-community/eirini-bosh-release/pull/72 was a WIP on the eirini-bosh-release side, with KubeCF we can also implement this in native Kubernetes, and drop consuming the extensions from the bosh-release. This will also help in the long run when we will just use the native charts #465 .
See also https://github.com/SUSE/eirinix/issues/22
The EiriniX feature is explained here: https://github.com/SUSE/eirinix#split-extension-registration-into-two-binaries