Closed SISheogorath closed 4 months ago
Before we merge that, I had one more thought: Currently the controller installs its own CRDs if they aren't present in the cluster. So maybe it needs some more permissions for creating CRDs? (I install them separately as part of the kustomization, so it wasn't a thing for me.)
How does the controller handle the failure if the CRDs don't exist, or are out of sync, and it doesn't have permission to create or update them? If we're going to remove permission to create CRDs, we probably need a CLI flag to disable managing them.
If it can't read crds directly, it just assumes they exist and assumes it's all fine.
We could include the CRD itself into the kustomize output.
Can you rebase this on top of current master so that CI can finish?
There we go :)
They had nothing to do with the change, just cleaning up along the way. Undid them for now :)
This patch drastically cuts down the permissions of the system-upgrades-controller from the previous cluster-admin permissions to a tailored set of permissions for the controller.