Comments (5)
Fedosin
commented on September 23, 2024
1
Hello @keskanatala! Unfortunately, there is a reason behind granting such broad permissions to our operator. As you may be aware, each cluster API provider has a unique set of Custom Resource Definitions (CRDs) - such as AWSMachineTemplates in CAPA, AzureManagedControlPlane in CAPZ, and so on. Additionally, these providers have their own RBAC permissions for their respective CRDs. To install these RBAC permissions, our operator must also has them; otherwise, we encounter a user is attempting to grant RBAC permissions not currently held error. This list of permissions is constantly evolving and cannot be predetermined or statically set, hence necessitating admin privileges for the operator.
If you have security concerns, there is a workaround. Rather than creating a ClusterRoleBinding, you can create a RoleBinding and specifically choose the namespaces where you install your providers. For example, if you want to install CAPA in capa-system namespace, just delete the permissive ClusterRoleBinding and apply this
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
clusterctl.cluster.x-k8s.io/core: capi-operator
name: capi-operator-manager-rolebinding
namespace: capa-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: capi-operator-manager-role
subjects:
- kind: ServiceAccount
name: default
namespace: capi-operator-system
After that operator will have admin permissions in a particular namespace rather then in the whole cluster.
I'm going to write a small document to describe this process in details.
from cluster-api-operator.
k8s-triage-robot
commented on September 23, 2024
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue as fresh with
/remove-lifecycle stale - Close this issue with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
from cluster-api-operator.
k8s-triage-robot
commented on September 23, 2024
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue as fresh with
/remove-lifecycle rotten - Close this issue with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle rotten
from cluster-api-operator.
k8s-triage-robot
commented on September 23, 2024
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.
This bot triages issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Reopen this issue with
/reopen - Mark this issue as fresh with
/remove-lifecycle rotten - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/close not-planned
from cluster-api-operator.
k8s-ci-robot
commented on September 23, 2024
@k8s-triage-robot: Closing this issue, marking it as "Not Planned".
In response to this:
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.
This bot triages issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied- After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied- After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closedYou can:
- Reopen this issue with
/reopen- Mark this issue as fresh with
/remove-lifecycle rotten- Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/close not-planned
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
from cluster-api-operator.
Related Issues (20)
- Better error message: "more than one config maps were found" (please add version info) HOT 3
- Update of third party addon provider not working HOT 1
- Install cert-manager dependencies fail HOT 5
- Helm chart install and quickstart scenarios not working HOT 4
- Helm Chart CRDs Placement Causes Flaky Installations HOT 11
- Support for Installing Multiple Infrastructures in Helm Chart (GCP and AWS) with Tutorial HOT 3
- Capi-operator deployment needs proper ready signal for helm HOT 3
- official arm64 container images HOT 2
- Automatic deletion of all providers HOT 10
- More restrict permissions HOT 1
- Support Multiple CoreProviders HOT 1
- CAPI v1.8.0-beta.0 has been released and is ready for testing HOT 1
- pull-cluster-api-operator-e2e-main needs to be migrated to the community cluster ASAP HOT 4
- Unable to upgrade providers when using custom fetchconfig HOT 4
- error message using additionalDeployments field HOT 4
- Setting maxConcurrentReconciles doesnt work with all InfraProviders HOT 1
- Versions are not correctly reflected for clusterctl HOT 1
- Manual changes on operator-managed deployments dont get rolled back HOT 1
- CRDs contain an invalid CABundle HOT 1
- InfrastructureProvider do not pass configSecret HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cluster-api-operator.