OBC provisioning requires permissions on any Secrets and ConfigMaps in the cluster

Question

OBC provisioning requires permissions on any Secrets and ConfigMaps in the cluster

Opened this issue 5 years ago · 1 comments

The problem is that this is a very intrusive permission to request on a cluster, but without it the operator would not be able to reconcile an OBC on any namespace and make the secret/CM for the application.

Answer 1 · 2019-10-08T17:08:31.000Z

From the rook common example for RBAC:

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: rook-ceph-object-bucket
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: rook-ceph-object-bucket
subjects:
  - kind: ServiceAccount
    name: rook-ceph-system
    namespace: rook-ceph

Is this too powerful for typical cluster operator?