fix: limit usage of * in RBAC #440
Conversation
|
/retest |
| @@ -0,0 +1,36 @@ | |||
| # permissions to scale Camel K resources. | |||
There was a problem hiding this comment.
is this up to date with the actual purpose of this role?
There was a problem hiding this comment.
Good catch. bad copy-paste - fixed in f8fbda0
| //+kubebuilder:rbac:groups="",resources=namespaces;limitranges,verbs=get;list;watch;create;update;patch;delete | ||
| //+kubebuilder:rbac:groups="",resources=namespaces;resourcequotas,verbs=get;list;watch;create;update;patch;delete | ||
| //+kubebuilder:rbac:groups=rbac.authorization.k8s.io;authorization.openshift.io,resources=rolebindings;roles;clusterroles;clusterrolebindings,verbs=* | ||
| //+kubebuilder:rbac:groups="",resources=namespaces;limitranges;resourcequotas;pods/exec,verbs=get;list;watch;create;update;patch;delete |
There was a problem hiding this comment.
just trying to understand - what is this controller doing with pods/exec resources ?
There was a problem hiding this comment.
this is needed to be able to apply sandbox templates https://github.com/codeready-toolchain/host-operator/blob/master/deploy/templates/nstemplatetiers/base1ns/ns_dev.yaml#L21-L37
|
unfortunately, this won't be as easy as it seems to be. It's very hard to reference to an already existing ClusterRole which is no managed by OLM and it's impossible to do that in e2e (or dev) environment where we deploy two versions of member-operator. The reason is that the OLM doesn't know which SA in which namespace the ClusterRole should be assigned to. Plus, there is also a conflict in the name of the created ClusterRoleBinding. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: alexeykazakov, MatousJobanek, mfrancisc, rajivnathan The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@MatousJobanek: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
Kudos, SonarCloud Quality Gate passed!
|
|
I moved the PR to a draft until I figure out how to solve the problem I mentioned in my previous comment #440 (comment) |
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## master #440 +/- ##
=======================================
Coverage 82.17% 82.17%
=======================================
Files 28 28
Lines 3298 3298
=======================================
Hits 2710 2710
Misses 445 445
Partials 143 143
|
because * includes also escalate permissions
there needs to be a follow-up on appstudio side as well
KUBESAW-178