Closed font closed 6 years ago
@font: Would it be better to do the following:
clusterregistry.k8s.io:apiserver
clusterrole to clusterregistry.k8s.io:admin
.clusterregistry.k8s.io:apiserver
clusterrolebinding to clusterregistry.k8s.io:admin
.clusterregistry.k8s.io:admin
clusterrolebinding to reference clusterregistry.k8s.io:admin
clusterrole.clusterregistry.k8s.io:admin
clusterrolebinding to bind to only user AdminCN
(remove service account)?@mlowery We need to avoid creating unnecessary RBAC objects, especially if they are just an example, unless they are explicitly required by the cluster registry. The admin that deploys the cluster registry will have access to the clusters resource. They are then able to create more fine-grained ACLs if they wish. I don't think we want the crinit
tool to assume a particular cluster registry security deployment model.
@perotinus PTAL.
/lgtm
Apologies, this fell off my radar in the midst of discussions about CRDs.
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: font, perotinus
The full list of commands accepted by this bot can be found here.
The pull request process is described here
Remove unnecessary cluster role and cluster role binding objects as I don't think we'll need it. This is mainly used to provide permissions for controllers within the cluster to perform specific cluster operations e.g. an admission controller to perform specific cluster resource operations. This cleans up and simplifies the code a bit. We can always add it back later if needed.
The k8s docs on this are a little misleading and suggest this is needed.
/sig multicluster