Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make use of aggregated ClusterRoles #1111

Open
ClusterJan opened this issue Nov 7, 2023 · 0 comments
Open

Make use of aggregated ClusterRoles #1111

ClusterJan opened this issue Nov 7, 2023 · 0 comments
Labels
enhancement New feature or request

Comments

@ClusterJan
Copy link

ClusterJan commented Nov 7, 2023

What is missing?

The editor and viewer cluster roles manged by the Helm chart and the k8ssandra-operator are missing RBAC labels, which would allow an automatic aggregation to cluster wide roles.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: aggregate-to-edit
  labels:
    # Add these permissions to the "admin" and "edit" default roles.
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
    rbac.authorization.k8s.io/aggregate-to-edit: "true""

See: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles

Why do we need it?

These cluster roles, e.g., edit can be used by GitLab runners in the Kubernetes cluster to automatically modify the state of the resources watched by the k8ssandra-operator. With this, the necessity of creating additional cluster role binding is then no longer necessary.

┆Issue is synchronized with this Jira Story by Unito
┆Issue Number: K8OP-64

@ClusterJan ClusterJan added the enhancement New feature or request label Nov 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
No open projects
Status: No status
Development

No branches or pull requests

1 participant