document rbac setup #880
Comments
|
Permission whack-a-mole at one step. We should probably create a role or whatever the RBAC concept is to hold all the needed permissions in one bundle.. |
|
Yep, each different API server should probably have it's equivalent of the bootstrap policy -- minimal policy required for the API server and controllers to function. Feel free to assign me to this one as well. |
|
@liggitt @DirectXMan12 here's a basic summary of the RBAC after installing the service catalog and doing some operations. (running our very basic e2e tests, manually doing some create and get and delete of objects). I hope we can use some of this to start and then go look in the code to find the full set of operations once I understand how to make a role and package it up. https://gist.github.com/MHBauer/1c2a2d2a2f7122bad9f20edda8d4a9a3 |
|
updated gist |
|
WIP RBAC objects at https://gist.github.com/liggitt/ded7f8abb305b5545258e560df667009 things you'd probably want to make variables:
also, you'll want to make the service-catalog-controller do leader election on an object within it's own namespace, not hard-coded to kube-system (and ideally use an object other than an endpoint object) there are a few other TODOs as well, and it's possible once you get past the initial startup, more API operations will be attempted and you'll need to add to these, but this should be a solid start @deads2k, we'll likely want a role that encompasses the permissions required for a standard admission chain (get/list/watch on namespaces, notably) |
|
With #936 in I think this is done enough. Updates can be made to the merged configuration, and new issues can be created when found. |
I've talked with @DirectXMan12 in the past about this and am trying to get it working and document it.
The text was updated successfully, but these errors were encountered: