swoehrl-mw
commented
4 weeks ago Hi @nilushancosta. This sounds like something that can be added (PRs are always welcome if you want to give it a shot), as long as it is designed in a way that does not break the existing behaviour.
What/Why
What are you proposing?
Add the capability to make the operator use RoleBindings instead of ClusterRoleBindings
What users have asked for this feature?
https://github.com/opensearch-project/opensearch-k8s-operator/issues/702
What problems are you trying to solve?
The default behaviour of the operator's Helm chart is to create ClusterRoles and ClusterRoleBindings. But there are scenarios where the operator only needs to manage OpenSearch clusters in a single namespace. In such scenarios, RoleBindings can be used instead of ClusterRoleBindings
What is the developer experience going to be?
No new REST APIs
Are there any security considerations?
No
Are there any breaking changes to the API
No
What is the user experience going to be?
The proposal is to add a new parameter (set to
falseby default) in the operator's Helm value file as followsIf this is changed to
true, RoleBindings will be created instead of ClusterRoleBindings. Also if this is changed totruethe user will need to specify the namespace where the cluster is in using themanager.watchNamespaceparameterAre there breaking changes to the User Experience?
No. Since
useRoleBindingswill be set tofalseby default, existing deployments will not breakWhy should it be built? Any reason not to?
If the operator needs to manage OpenSearch cluster/s in a single namespace, there is no need to give cluster wide access to resources to the operator. Thus restricting permissions by using RoleBindings will improve security.
What will it take to execute?
Need to RoleBinding manifests to the operator's Helm chart I can submit a PR if this proposal sounds good
Any remaining open questions?
No