shivamnarula
commented
1 year ago Why do we need this when we can use ClusterRoleBinding and that works?
Open GoodOldJack12 opened 2 years ago
shivamnarula
commented
1 year ago Why do we need this when we can use ClusterRoleBinding and that works?
GoodOldJack12
commented
1 year ago Why do we need this when we can use ClusterRoleBinding and that works?
Because then it wouldn't be truly in a single name space. A good use case for this is multi-tenant setups where a tenant might not have cluster wise permissions.
Really, there's no reason to have a cluster role for this functionality.
This would also make this application have an advantage over the official consul solution, which can't be installed in a single namespace
shivamnarula
commented
1 year ago Why do we need this when we can use ClusterRoleBinding and that works?
Because then it wouldn't be truly in a single name space. A good use case for this is multi-tenant setups where a tenant might not have cluster wise permissions.
Really, there's no reason to have a cluster role for this functionality.
This would also make this application have an advantage over the official consul solution, which can't be installed in a single namespace
Understood. Thankyou!
Updates the API version like #60
This change makes it possible to deploy consul-register in a single namespace without needing cluster-wide permissions.
rolebinding.yamlcontains the minimal permission set required for this setup. (watchdoesn't seem to break all functionality, but the application does produce errors if its not present)I'm not familiar with Go, so please check if I didn't accidentally break something.