kubernetes-retired/hierarchical-namespaces

Default subnamespace permissions

Closed this issue · 4 comments

zfrhv commented

Each time when I install HNC I give permissions to the clusterRole/edit on the hnc custom resources.
It allows the clients create their own sub namespaces if they have at least edit role:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
  name: hnc-edit
rules:
- apiGroups:
  - hnc.x-k8s.io
  resources:
  - hierarchyconfigurations
  - hierarchicalresourcequotas
  - subnamespaceanchors
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - hnc.x-k8s.io
  resources:
  - hierarchicalresourcequotas
  - subnamespaceanchors
  verbs:
  - create
  - update
  - patch
  - delete

So I'm wondering, should I create a PR so it would be like that by default?

erikgb commented

Yes, I think it makes sense. Maybe add permissions to the other default aggregated cluster roles (view, admin and cluster-reader) also?

k8s-triage-robot commented

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot commented

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle rotten
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

zfrhv commented

merged