Open skitt opened 3 years ago
@skitt @SteveMattar shall this be an item for 0.9.0? sounds risky to me.
I’ve got a patch in progress for this, but it is indeed somewhat risky (although the code generates files we can compare with the existing setup, so it’s easy enough to verify). I’ve moved it to 0.10.
I agree let's wait with this
The kustomize part is handled in this patch: https://github.com/submariner-io/submariner-operator/pull/1375
This issue has been automatically marked as stale because it has not had activity for 60 days. It will be closed if no further activity occurs. Please make a comment if this issue/pr is still valid. Thank you for your contributions.
This issue has been automatically marked as stale because it has not had activity for 60 days. It will be closed if no further activity occurs. Please make a comment if this issue/pr is still valid. Thank you for your contributions.
@skitt Do you have any pointers about how this should be done?
The relevant section in the Operator SDK documentation is https://sdk.operatorframework.io/docs/building-operators/golang/operator-scope/#restricting-roles-and-permissions
The kubebuilder reference is https://book.kubebuilder.io/reference/markers/rbac.html
See https://github.com/skitt/submariner-operator/pull/16 where I started working on this a while back — my process then was to compare the generated RBAC with the RBAC we had in our YAML files, determine whether a missing permission was significant, and add the corresponding annotation.
See https://github.com/operator-framework/operator-sdk/issues/6100 for namespace permissions instead of cluster permissions.
I should stop beating my head against this and ask...what about the non-operator roles? I went through some ideas that turned out obviously-in-retrospect bad, like annotating some calls with extra permissions to try to cover them or cloning the other repos during generation.
I should stop beating my head against this and ask...what about the non-operator roles? I went through some ideas that turned out obviously-in-retrospect bad, like annotating some calls with extra permissions to try to cover them or cloning the other repos during generation.
Still not sure what to do about roles that are currently hosted in the operator repo but with code-to-annotate in other repos, how to connect them to the automated generation.
We should generate the RBAC declarations from code (see the
TODO
incontrollers/submariner/broker_controller.go
). The resulting YAML files could also be re-used for the operator bundle, and the RBAC-declaration code inpkg/broker/rbac.go
would no longer be necessary.