Closed m1kola closed 2 weeks ago
Easy fix is to get rid of resourceNames
, but then we allow access to all CRDs. If we want to maintain resourceNames
then the client (helm?) needs to be aware of the resource names somehow.
I believe this will be fixed by #1119
If we want to maintain resourceNames then the client (helm?) needs to be aware of the resource names somehow.
In order for creates to work with a resourceName
, we need helm to use an apply patch rather than a create call. I don't think there is a way to get around the global list
and watch
permissions though. The boundaries for list and watch permissions are either:
Closing as a duplicate of #1195
I'm seeing the following logs from
operator-controller-controller-manager
after applyingconfig/samples/olm_v1alpha1_clusterextension.yaml
.Looking at the manifest I see the following:
https://github.com/operator-framework/operator-controller/blob/04ee036ace55df04451375e4a8d8ab283c8e1c43/config/samples/olm_v1alpha1_clusterextension.yaml#L37-L48
Note that we allow
list
here, but we also restrict byresourceNames
.Here is what the documentation says: