Closed SISheogorath closed 4 months ago
SISheogorath
commented
4 months ago Before we merge that, I had one more thought: Currently the controller installs its own CRDs if they aren't present in the cluster. So maybe it needs some more permissions for creating CRDs? (I install them separately as part of the kustomization, so it wasn't a thing for me.)
brandond
commented
4 months ago How does the controller handle the failure if the CRDs don't exist, or are out of sync, and it doesn't have permission to create or update them? If we're going to remove permission to create CRDs, we probably need a CLI flag to disable managing them.
SISheogorath
commented
4 months ago If it can't read crds directly, it just assumes they exist and assumes it's all fine.
We could include the CRD itself into the kustomize output.
brandond
commented
4 months ago Can you rebase this on top of current master so that CI can finish?
SISheogorath
commented
4 months ago There we go :)
SISheogorath
commented
4 months ago They had nothing to do with the change, just cleaning up along the way. Undid them for now :)
This patch drastically cuts down the permissions of the system-upgrades-controller from the previous cluster-admin permissions to a tailored set of permissions for the controller.