Closed majst01 closed 3 years ago
I also think that GEPM would be a better fit. Then you can also deploy it only if the group-rolebinding controller ("authEnabled") gets deployed. I guess it is somehow related to this component?
I also think that GEPM would be a better fit. Then you can also deploy it only if the group-rolebinding controller ("authEnabled") gets deployed. I guess it is somehow related to this component?
Role-aggregation is IMHO not related (at least not tied) to the rolebinding controller. It enables you to add permissions on resources of your api-groups to the default kubernetes cluster-roles, e.g. "view", "edit" or "admin", which is very useful. One can think of this as deployment specific in a way that you want to enable the default view to also view the resources of your api-group only for specific environments/clusters. In other environments you may want to create a separate role/binding to be more fine grained.
In order to allow k8s users with
*-all-all-view
access our resources like cwnp and firewall add a aggregate clusterrole with a proper label to enable this permission inheritance. Also add shortname for ClusterwideNetworkpolicy (cwnp) and Firewall (fw)TODO:
Once https://github.com/metal-stack/gardener-extension-provider-metal/pull/181 is merged, this should be merged as well