Closed jefflill closed 6 months ago
I removed the namespace property for now since it doesn't actually do anything. Namespaced roles might be a feature we can add in the future.
Generated roles don't need to specify the namespace since tools like helm will add it for you.
The neon-cluster-operator service specifies the following RBAC rules:
The OperatorSDK generates two role files:
clusterrole-neon-cluster-operator.yaml
role-neon-cluster-operator.yaml
clusterrole-neon-cluster-operator.yaml looks OK:
but role-neon-cluster-operator.yaml should be specifying the target namespace in it's metadata, right?
So, I think the namespace role is actually being applied only to the default namespace right now.
Note that it's possible for a service to reference multiple namespaces, so you'll need to generate multiple role manifests in this file, one per referenced namespace, separating these with "---" lines.