api: add CSIProvisionerRBAC functions for the NFS-provisioner #4395
Conversation
nixpanic
added
ci/skip/e2e
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed in two weeks if no further activity occurs. Thank you for your contributions. |
|
@Mergifyio rebase |
✅ Branch has been successfully rebased |
|
/test ci/centos/k8s-e2e-external-storage/1.29 |
|
/test ci/centos/upgrade-tests-cephfs |
|
/test ci/centos/mini-e2e-helm/k8s-1.29 |
|
/test ci/centos/upgrade-tests-rbd |
|
/test ci/centos/mini-e2e/k8s-1.29 |
|
/test ci/centos/k8s-e2e-external-storage/1.27 |
|
/test ci/centos/k8s-e2e-external-storage/1.28 |
|
/test ci/centos/mini-e2e-helm/k8s-1.27 |
|
/test ci/centos/mini-e2e-helm/k8s-1.28 |
|
/test ci/centos/mini-e2e/k8s-1.27 |
|
/test ci/centos/mini-e2e/k8s-1.28 |
| kind: ClusterRoleBinding | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| metadata: | ||
| name: "{{ .ServiceAccount }}-role" |
There was a problem hiding this comment.
why no hardcoded name for clusterRoleBinding?
There was a problem hiding this comment.
Because we allow the user to pick a name for the service account. I think it is nice to have names of roles easily related with service accounts. If you prefer a different naming convention, can you give a suggestion?
There was a problem hiding this comment.
i dont have any preference but just wanted to know why this flexibility for users here but for Role/ClusterRole names.
| kind: RoleBinding | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| metadata: | ||
| name: "{{ .ServiceAccount }}-role-cfg" |
There was a problem hiding this comment.
I have approved this one. However, I have not witnessed any operator directly creating the Roles or ClusterRoles. This is a security concern, and in most cases, admins create them after reviewing the YAML or CSV files. someone needs to write one tool as they require it.
Signed-off-by: Niels de Vos <ndevos@ibm.com>
Signed-off-by: Niels de Vos <ndevos@ibm.com>
Signed-off-by: Niels de Vos <ndevos@ibm.com>
Signed-off-by: Niels de Vos <ndevos@ibm.com>
|
/test ci/centos/k8s-e2e-external-storage/1.27 |
|
/test ci/centos/k8s-e2e-external-storage/1.29 |
|
/test ci/centos/mini-e2e-helm/k8s-1.27 |
|
/test ci/centos/mini-e2e-helm/k8s-1.29 |
|
/test ci/centos/upgrade-tests-cephfs |
|
/test ci/centos/mini-e2e/k8s-1.27 |
|
/test ci/centos/mini-e2e/k8s-1.29 |
|
/test ci/centos/upgrade-tests-rbd |
|
/test ci/centos/k8s-e2e-external-storage/1.28 |
|
/test ci/centos/mini-e2e-helm/k8s-1.28 |
|
/test ci/centos/mini-e2e/k8s-1.28 |
Describe what this PR does
Extend the Ceph-CSI deployment API with functions to get the RBAC permissions for the NFS-provisioner.
Is there anything that requires special attention
Projects that deploy the NFS-provisioner can now use the Go API to vendor the RBAC (ServiceAccount, roles and role-bindings) instead of maintaining their own copy of YAML files.
Future concerns
This PR is only for NFS-provisioner permissions. Other deployment artifacts or provisioner backends will be done in separate PRs.
Checklist:
guidelines in the developer
guide.
Request
notes
updated with breaking and/or notable changes for the next major release.
Show available bot commands
These commands are normally not required, but in case of issues, leave any of
the following bot commands in an otherwise empty comment in this PR:
/retest ci/centos/<job-name>: retest the<job-name>after unrelatedfailure (please report the failure too!)