Configurable object types only being replicated
Closed this issue ยท 4 comments
Is your feature request related to a problem? Please describe.
Due security/risk limitations I had to bolt down the permissions of kubernetes-replicatior to only allow syncing of certain secrets, the log is now full of messages about not allowed to access certain object types
E0628 06:47:18.420095 1 reflector.go:148] pkg/mod/k8s.io/client-go@v0.27.3/tools/cache/reflector.go:231: Failed to watch *v1.RoleBinding: failed to list *v1.RoleBinding: rolebindings.rbac.authorization.k8s.io is forbidden: User "system:serviceaccount:openshift-config:replicator-kubernetes-replicator" cannot list resource "rolebindings" in API group "rbac.authorization.k8s.io" at the cluster scope
W0628 06:47:22.329545 1 reflector.go:533] pkg/mod/k8s.io/client-go@v0.27.3/tools/cache/reflector.go:231: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:openshift-config:replicator-kubernetes-replicator" cannot list resource "configmaps" in API group "" at the cluster scope
E0628 06:47:22.329636 1 reflector.go:148] pkg/mod/k8s.io/client-go@v0.27.3/tools/cache/reflector.go:231: Failed to watch *v1.ConfigMap: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:openshift-config:replicator-kubernetes-replicator" cannot list resource "configmaps" in API group "" at the cluster scope
Describe the solution you'd like
env variables that allow you to exclude object types (to not break backwards compability)
Describe alternatives you've considered
config file isnt needed now, so why make it
Additional context
Add any other context or screenshots about the feature request here.
Hey Mans; thanks for the suggestion, this absolutely makes sense. ๐ Maybe we could integrate this with the Helm chart values, so that we can prevent the respective RBAC rules from being deployed in the first place when using the Helm chart.
I cannot make any promises as to when someone will actually get to this; in the meantime, PRs are of course always welcome. ๐
we might come with a PR soon. Need to discuss with some coworkers.
just to be sure:
- we need to have some sort of flag parser that parses the list of comma separated excluded objecttypes or env variable parser
- some if statement to prevent replicator creation for unwanted object types
- some if statements around the run() for each objecttype?
- some if statements for the liveness probe
(maybe refactor to go to per objecttype instead of per step (creation, run, etc))
do I miss something?
- Just linking to an old issue as well - #80