-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Include CRD viewer and editor roles in kustomization file? #3782
Comments
Hi @joelanford, Thank you for bringing this to our attention. Upon initial consideration, I saw merit in the suggestion as a means to ensure syntax correctness during test executions. However, after a moment of reflection, I chose to delete my previous comment and remove the label to prevent any confusion. The purpose of those scaffolds
So, why should we add those to the kustomize configuration for the Manager? What advantages would it bring for the users to have these applied when we deploy the manager? What is the use case? To be honest, I also do not know how much value these rules bring, since their purpose is not very clear. I wonder if we should actually not remove them in a future version. WDYT? |
I had the same understanding as the stated purpose you mention. I'm not opposed to removing them in a future version, but I also see the value in them. If these scaffolds were in the kustomization file and did get applied as part of the installation, there would be one less step for cluster admins to provide access to the APIs of a newly installed controller. An admin would just have to create (cluster)rolebindings that reference them. Without these, an admin would have to also manually create them or derive them some other way. I would propose one of the following:
If we choose options 1 or 2, we could explain the purpose of them in the kustomization file or as a comment in the RBAC YAML. |
Hi @joelanford Yep, I go along with your thoughts. Honest, I cannot think how option 1 could bring any harm. Furthermore, I think it would be great to have comments in the kustomize where those are applied to try to bring clarity about their purpose. Therefore, I think I am fine either with us moving forward with option 1:
It seems a good one for the first good issues, too. |
Hi @camilamacedo86, I'd like to help with this issue, and want to comfirm: How/When should a. By Lines 45 to 63 in 8afeb40
b. By create api . We might implement it after CRDEditorRole and CRDViewerRole are generated:
kubebuilder/pkg/plugins/common/kustomize/v2/scaffolds/api.go Lines 64 to 104 in 8afeb40
Please correct me if I misunderstood. Any additional suggestions would be appreciated. |
Hi @lunarwhite, First, that is great. We appreciate your help. |
/assign |
What do you want to happen?
When I create a new API, kubebuilder automatically generates viewer and editor roles that could be used to give end users access to the API.
However, it doesn't look like Kubebuilder adds references to these new files in the
./config/rbac/kustomization.yaml
file, which means they don't end up being applied as part of the kustomize build + kubectl command.It would be nice if Kubebuilder automatically added these to the kustomization file when it creates them.
Extra Labels
No response
The text was updated successfully, but these errors were encountered: