Open ReSearchITEng opened 4 years ago
I'm a bit confused. It looks like you want something like our user-facing cluster roles.
Why disable CRD validation? That's to check if submitted manifest contain errors. The last error message has nothing to do with this. It just means the serviceAccount
you are using does not have the permission to create a CRD. Have you change the operator cluster role? This one needs to be able to register CRDs and update them.
@FxKu Thanks for clarification on enable_crd_validation . As for your question:
Have you change the operator cluster role? This one needs to be able to register CRDs and update them.
Yes, we must restrict it to "get" verb only. The serviceAccounts we use (including pg opr serviceAccount) are not allowed to create/update crds. (crd deploy is done by admins, in flow before). Why would it require? Is it mandatory or maybe we can put a parameter to skip it?
I also would like to prevent the operator from managing the CRDs, we want to the limit the operator ClusterRole permissions and we will deploy multiple postgres-operators so it's better that only admins have control on the CRDs.
Now, the operators log could not create customResourceDefinition
, is it ok? they're not running on a degraded mode or something?
Also I would like to know if CRDs change a lot and if backward compatibility is always ensured (I think it's the case), basically I would like to know if using multiple operators is a good idea, I don't want all my pg clusters to rely on the same operators.
Thanks.
@FxKu : We are facing the same issue in our cluster ? how can we avoid it ?
Request to access crds is usually a problem for non-admin users.
If we want to drastically limit to crds, what are the smallest list of perms required?
FYI, we have already set:
confirmed by:
But we get:
Is this the minimum requried perm?
PS: related to PR: https://github.com/zalando/postgres-operator/pull/599/files