Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generated aggregated cluster roles contains group id in resource name #730

Closed
lulf opened this issue Feb 27, 2019 · 2 comments
Closed

Generated aggregated cluster roles contains group id in resource name #730

lulf opened this issue Feb 27, 2019 · 2 comments

Comments

@lulf
Copy link

lulf commented Feb 27, 2019

I'm facing an issue I'm not sure is due to a bug in my CSV or an inconsistency in the CSV format. Basically my api service resource is defined like this:

    - containerPort: 8443
      deploymentName: api-server
      description: A group of messaging addresses that can be accessed via the same
        endpoint
      displayName: Address Space
      group: enmasse.io
      kind: AddressSpace
      name: addressspaces.enmasse.io

Notice the name has the group id at the end, which is the same as for CRDs. However, the generated clusterrole looks like this:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  creationTimestamp: 2019-02-27T12:08:24Z
  labels:
    olm.opgroup.permissions/aggregate-to-view: global-operators
    rbac.authorization.k8s.io/aggregate-to-view: "true"
  name: addressspaces.enmasse.io-v1beta1-view
  ownerReferences:
  - apiVersion: operators.coreos.com/v1alpha1
    blockOwnerDeletion: false
    controller: false
    kind: ClusterServiceVersion
    name: enmasse.0.27.0
    uid: 56e66e37-3a88-11e9-9dcb-06c33046a312
  resourceVersion: "32281"
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/addressspaces.enmasse.io-v1beta1-view
  uid: 62025220-3a88-11e9-9dcb-06c33046a312
rules:
- apiGroups:
  - enmasse.io
  resources:
  - addressspaces.enmasse.io
  verbs:
  - get
  - list
  - watch

As you can see the 'resources' contains the group id here as well, which prevents RBAC from working.

I will try to remove the group id for the name of the apiservice objects, which I expect will fix the issue. It would be good if:

  • CRDs and apiservice objects had the same format for name
  • operator-courier validates apiservice objects.
@ecordell
Copy link
Member

I will try to remove the group id for the name of the apiservice objects, which I expect will fix the issue.

Doing this should generate the correct clusterroles.

CRDs and apiservice objects had the same format for name

Agreed - and we have issues in our backlog for cleaning up these APIs

@lulf
Copy link
Author

lulf commented Mar 1, 2019

This resolves the issue, thanks. Closing this as you already have this on your backlog.

@lulf lulf closed this as completed Mar 1, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lulf @ecordell