After we implement #737, users will need to provide their own service accounts that have the permissions necessary to manage the lifecycle of a bundle.
The service account needs CRUD on each group resource of each unique object in the bundle
If there are any ClusterRoles, Roles, ClusterRoleBindings, and/or RoleBindings, the service account additionally needs:
Either escalate/bind to allow the service account to create permissions it itself does not have
OR permissions that match the permissions that are granted by the RBAC in the bundle.
There are some technical challenges here:
The bundle must be pulled, extracted, and rendered in order to see what would be deployed.
User input from #381 will cause the contents of the rendered manifest to be configurable, potentially resulting in a different set of RBAC required.
After we implement #737, users will need to provide their own service accounts that have the permissions necessary to manage the lifecycle of a bundle.
The service account needs CRUD on each group resource of each unique object in the bundle
escalate
/bind
to allow the service account to create permissions it itself does not haveThere are some technical challenges here: