Add ClusterRole and ClusterRoleBinding to support using bypass_api_service patroni option

[agrevtsev]

• Which image of the operator are you using? registry.opensource.zalan.do/acid/postgres-operator:v1.8.2
• Where do you run it - cloud or metal? Kubernetes or OpenShift? Bare Metal K8s
• Are you running Postgres Operator in production? yes
• Type of issue? feature request

Hi team! Patroni supports bypass_api_service option, which allows it to connect to kubernetes endpoints directly, instead going over KUBERNETES_SERVICE_HOST (which is usually some LB, pointing to master nodes). For resolving such endpoints, it queries /api/v1/namespaces/default/endpoints/kubernetes which should be explicitly allowed. My proposal is to

1. Create dedicated ClusterRole, to permit GET against /api/v1/namespaces/default/endpoints/kubernetes
2. Create ClusterRoleBinding for pod service account (used by postgres & patroni pods), when cluster is created, by the means of operator.

Br, Alex

[MatthiasLohr]

Any progress on this?

@agrevtsev, did you find a work-around?