nats-operator icon indicating copy to clipboard operation
nats-operator copied to clipboard

Published 20 hours ago verified publisher icon nats-io

Normalize RBAC configuration

Open pires opened this issue 6 years ago • 3 comments

We introduced breaking changes in #143 that were not caught by our e2e test suite because skaffold has its own RBAC configuration. This has been identified in #163.

In order to avoid falling in the same trap, we can try and normalize RBAC rules to a single file to rule all scenarios, ie deployment and e2e.

pires avatar Apr 09 '19 17:04 pires

@wallyqs want to pick it up? :)

pires avatar Apr 10 '19 07:04 pires

@pires yes can take look 👍

wallyqs avatar Apr 10 '19 09:04 wallyqs

I deployed a namespace scoped nats-operator and tried to only assign Roles instead of ClusterRoles.

Unfortunately the operator crashes because it requires list pods on nats-io which is hard coded in exitOnPreexistingClusterScopedNatsOperatorPods.

I understand that the goal is to prevent people from making accidental mistakes and deploying a cluster scoped nats operator alongside a namespace scoped operator.

IMO that should be the responsibility of whoever deploys the service instead and should just be properly documented. Are there other reasons why you can't use Roles instead of ClusterRoles?

I think two different deployment strategies would make sense, one for namespace scoped without ClusterRoles and one cluster-scope with ClusterRoles.

If that's something to consider, i'd gladly open a separate issue for it.

arminbuerkle avatar Aug 16 '19 08:08 arminbuerkle