Configurable object types only being replicated

[MansM]

Is your feature request related to a problem? Please describe. Due security/risk limitations I had to bolt down the permissions of kubernetes-replicatior to only allow syncing of certain secrets, the log is now full of messages about not allowed to access certain object types

E0628 06:47:18.420095       1 reflector.go:148] pkg/mod/k8s.io/client-go@v0.27.3/tools/cache/reflector.go:231: Failed to watch *v1.RoleBinding: failed to list *v1.RoleBinding: rolebindings.rbac.authorization.k8s.io is forbidden: User "system:serviceaccount:openshift-config:replicator-kubernetes-replicator" cannot list resource "rolebindings" in API group "rbac.authorization.k8s.io" at the cluster scope
W0628 06:47:22.329545       1 reflector.go:533] pkg/mod/k8s.io/client-go@v0.27.3/tools/cache/reflector.go:231: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:openshift-config:replicator-kubernetes-replicator" cannot list resource "configmaps" in API group "" at the cluster scope
E0628 06:47:22.329636       1 reflector.go:148] pkg/mod/k8s.io/client-go@v0.27.3/tools/cache/reflector.go:231: Failed to watch *v1.ConfigMap: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:openshift-config:replicator-kubernetes-replicator" cannot list resource "configmaps" in API group "" at the cluster scope

Describe the solution you'd like env variables that allow you to exclude object types (to not break backwards compability)

Describe alternatives you've considered config file isnt needed now, so why make it

Additional context Add any other context or screenshots about the feature request here.

[martin-helmich]

Hey Mans; thanks for the suggestion, this absolutely makes sense. :+1: Maybe we could integrate this with the Helm chart values, so that we can prevent the respective RBAC rules from being deployed in the first place when using the Helm chart.

I cannot make any promises as to when someone will actually get to this; in the meantime, PRs are of course always welcome. 🙂

[MansM]

we might come with a PR soon. Need to discuss with some coworkers.

just to be sure:

• we need to have some sort of flag parser that parses the list of comma separated excluded objecttypes or env variable parser
• some if statement to prevent replicator creation for unwanted object types
• some if statements around the run() for each objecttype?
• some if statements for the liveness probe

(maybe refactor to go to per objecttype instead of per step (creation, run, etc))

do I miss something?

[rustycl0ck]

• Just linking to an old issue as well - https://github.com/mittwald/kubernetes-replicator/issues/80

[aljoshare]

Do you have something on a branch already? @MansM