CRDs should be namespace-scoped instead of cluser-scoped #30
Comments
|
for that reason you can use compositions in crossplane context |
|
@haarchri, could you point me towards documentation that clearly explain how compositions can be used to address the issue we're facing? The issue being that the Vault provider's resources are all cluster-scoped which forces us to grant cluster-wide permissions to manage any of the cluster-scoped resources to our end users. |
|
Hey we have a similar problem where we dont want to give access to cluster scoped resources and would rather have it namespace scoped. Could you elaborate by what you mean with compositions? My understand is that compositions is still cluster scoped? |
|
here the link to official documentation: https://docs.crossplane.io/latest/concepts/claims/ - and some community tooling arround if you want to use 1:1 managed resources to claims https://github.com/crossplane-contrib/x-generation |
What problem are you facing?
All the CRDs for this provider are cluster-scoped which requires granting access to end users to those resources. In my case, each application (owned by different people) gets a namespace. Each namespace has a ArgoCD
AppProjectresource that grants access to create any namespace-scoped resource, but denies the creation of any cluster-scoped resource.How could Upbound help solve your problem?
Those resources should be namespace scoped to allow proper multi-tenancy and reduction of blast-radius.
Let me know if more information is needed.
The text was updated successfully, but these errors were encountered: