Closed zfrhv closed 7 months ago
Hi @zfrhv. Thanks for your PR.
I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test
on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.
Once the patch is verified, the new status will be reflected by the ok-to-test
label.
I understand the commands that are listed here.
Also does hnc supposed to have cluster-admin?: https://github.com/kubernetes-sigs/hierarchical-namespaces/blob/master/config/rbac/role.yaml#L19C1-L24C8
Also does hnc supposed to have cluster-admin?: https://github.com/kubernetes-sigs/hierarchical-namespaces/blob/master/config/rbac/role.yaml#L19C1-L24C8
Basically, yes, since HNC can be used to copy any namespaced object. If there were a way to only give permissions for namespaced objects we'd do that, but AFAIK this doesn't exist.
Individual HNC users can easily restrict HNC to only have access to an allowlisted set of resources, but this is the only default that will reliably work in all cases.
If there were a way to only give permissions for namespaced objects we'd do that, but AFAIK this doesn't exist.
Isn't thats what the operatorGroups are made for?
When installing an operator with OLM operatorGroup must exist, and there you can specify the list of the namespaces on which the operator will have permissions.
You can even use a label selector, just put the label on the namespace and the operator should get control of it.
I hope I'm not mistaken.
OperatorGroups appear to only be an OpenShift concept, not a K8s concept. So I can't comment on that... plus from your description it's a way to select the namespaces for the operator, but not the types of objects.
OperatorGroups appear to only be an OpenShift concept
OLM can be installed in kubernetes, but I understand if you dont want to use it because probably most of kubernetes people dont use it.
plus from your description it's a way to select the namespaces for the operator, but not the types of objects.
Im pretty sure you can configure the objects that you need the permissions for, and OLM will create permissions for those objects in the listed namespaces (maybe you can specify *
)
I'm not too confident because the only operator I made was from helm chart, and it was bad quality.
Also I didn't knew i had to update incubator/hnc/config/rbac/kustomization.yaml so imma do that
/ok-to-test
/assign @adrianludwin
Failure looks unrelated, probably just a flake?
/lgtm /retest
The Kubernetes project currently lacks enough contributors to adequately respond to all PRs.
This bot triages PRs according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the PR is closedYou can:
/remove-lifecycle stale
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
/remove-lifecycle stale
/lgtm /approve
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: rjbez17, zfrhv
The full list of commands accepted by this bot can be found here.
The pull request process is described here
Changing permissions to default clusterRoles. Each user that has admin/edit can manage sub-namespaces and HRQs Each user that has view/cluster-reader can see all hnc CRs
Related to: #317