Add a way to override default cluster role rules instead of just adding additional rules

Question

Add a way to override default cluster role rules instead of just adding additional rules

longwa opened this issue 4 years ago · 4 comments

We want to deploy Octant without the ability for people to view Secrets.

Since ClusterRole rules are additive and the default rules grant * already, it doesn't seem possible to override this.

It would be nice to just have the ability to provide your own initial rules block instead of just the ability to provide additional rules. I'm happy to submit a PR if that makes sense.

Answer 1 · 2020-11-24T16:53:09.000Z

Hi @longwa

Yes that's an interesting feature. Please submit a PR I'll gladly review it and merge. May I suggest to externalize all rules from the cluster role into the value file. Therefore instead of additionalRules, we could simply have rules with the default being what's already in the ClusterRole.rules right now.

Answer 2 · 2020-11-24T17:14:55.000Z

Yes, that was my thought as well.

The other option would be to just allow an existingClusterRole option in values.yaml and let people create their own ClusterRole outside the chart (similar to how many charts have existingClaim for persistence) and reference it. In this case, the chart would skip creating the ClusterRole completely and just assign the one given in the ClusterRoleBinding.

Do you have a preference?

Answer 3 · 2020-11-24T17:34:24.000Z

My preference sides with externalizing the rules only, into a rules property in values.yaml. Thanks for asking!

Answer 4 · 2020-12-09T01:29:14.000Z

Merged in master