Enhance controller RBAC and helm charts generation #495
Conversation
a-hilaly
force-pushed
the
multinamespace-rbac
branch
from
a553b85 to
461dae8
Compare
|
/retest |
a-hilaly
force-pushed
the
multinamespace-rbac
branch
from
461dae8 to
64b2d45
Compare
This patch enhances the permissions for controllers with the addiotion of multi-namespace watch mode. The controlelrs now have more fine-grained permissions, enabling them to watch specific namespaces exclusively. Key changes: - Refactored helm chart generation tooling, especially Roles and ClusterRoles - Addressed a bug where the RoleBinding was incorrectly assigning the roles into a different namespace when the controller was installed ina namespace that is different fro the one it monitored. Notable features: - We start generating one Role/RoleBinding for each monitored namespace. - We introduced seperate Role and ClusterRoles for the CARM feature (prefixed with ack-*-cache) Less importantly we are replacing some bash-fu that used to inject RBAC rules into Roles and ClusterRoles, with a different bash-fu that allows reusing rules for different Roles. Signed-off-by: Amine Hilaly <[email protected]>
a-hilaly
force-pushed
the
multinamespace-rbac
branch
from
64b2d45 to
57b6636
Compare
|
@a-hilaly: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/retest |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: a-hilaly, ack-bot The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Too many hiccups from DynamoDB API... Merging manually as it's not related to this change. |
This patch enhances the permissions for controllers with the addiotion
of multi-namespace watch mode. The controlelrs now have more
fine-grained permissions, enabling them to watch specific namespaces
exclusively.
Key changes:
ClusterRoles
roles into a different namespace when the controller was installed ina
namespace that is different fro the one it monitored.
Notable features:
(prefixed with ack-*-cache)
Less importantly we are replacing some bash-fu that used to inject RBAC
rules into Roles and ClusterRoles, with a different bash-fu that allows
reusing rules for different Roles.
Signed-off-by: Amine Hilaly [email protected]
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.