How can I support configuration of controller with slices of rbac/v1 PolicyRules #2443
-
I'm building a controller that needs to accept the optional configuration of two slices of The problem is this.
I could pass the yaml blocks for those slices in a config map under two env var keys if base64-encoded. Is there a more elegant/idiomatic solution? Many thanks in advance! |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
Hi @mojochao, First, it's essential to clarify a point about RBAC when working with Kubebuilder and Operators. The RBAC configuration pertains to the entire Operator project. It's not specified for each individual controller within the Operator. This means that when you set up permissions, it's at the broader Operator level rather than a specific controller. Permission Consideration: An important thing to note is that by using this approach, your Manager will require permissions to manage Role and ClusterRole objects. Depending on your cluster's security policies, granting such permissions might raise concerns, so you'll need to evaluate this aspect carefully. Following some possible approaches/ideas Create an API/CRD and a Controller to manage the RBAC: One potential approach might to be define a custom CRD, let's call it Then, the controller responsible for reconcile the RBAConfig (i.e RBAConfigController) would be to monitor instances of the Use API Discovery To Manage the RBACs when the manager initialize (cmd/main.go): You might can use dynamically API discovery with something like: // ... other imports ...
import (
"k8s.io/client-go/discovery"
"k8s.io/client-go/kubernetes"
)
// ... in your main function ...
config, err := config.GetConfig()
if err != nil {
// Handle error
}
clientset, err := kubernetes.NewForConfig(config)
if err != nil {
// Handle error
}
discoveryClient := discovery.NewDiscoveryClientForConfigOrDie(config)
apiGroups, err := discoveryClient.ServerGroups()
if err != nil {
// Handle error
}
for _, group := range apiGroups.Groups {
// Examine group.Name, group.Versions, etc. to understand available APIs
// Process as required
} I hope that helps you out and answer your question |
Beta Was this translation helpful? Give feedback.
Hi @mojochao,
First, it's essential to clarify a point about RBAC when working with Kubebuilder and Operators. The RBAC configuration pertains to the entire Operator project. It's not specified for each individual controller within the Operator. This means that when you set up permissions, it's at the broader Operator level rather than a specific controller.
Permission Consideration: An important thing to note is that by using this approach, your Manager will require permissions to manage Role and ClusterRole objects. Depending on your cluster's security policies, granting such permissions might raise concerns, so you'll need to evaluate this aspect carefully.
Following some possible appr…