Limit privilege scope for Compass Manager #167
Conversation
kyma-bot
added
cla: yes
kyma-bot
added
size/M
kyma-bot
added
size/L
| @@ -2,7 +2,7 @@ | |||
| # Image URL to use all building/pushing image targets | |||
| IMG ?= compass-manager:latest | |||
| # ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary. | |||
| ENVTEST_K8S_VERSION = 1.26.0 | |||
| ENVTEST_K8S_VERSION = 1.28.0 | |||
There was a problem hiding this comment.
could we use highest currently supported by our gardener, 1.29.3?
There was a problem hiding this comment.
Compass Manager was tested to support the 1.28.x version (the same version as in our enviroments)
| @@ -10,6 +10,7 @@ metadata: | |||
| app.kubernetes.io/part-of: compass-manager | |||
| app.kubernetes.io/managed-by: kustomize | |||
| name: compassmanager-editor-role | |||
| namespace: kcp-system | |||
There was a problem hiding this comment.
Could we maybe set all the namespaces with a kustomize, if multiple resources have the same namespace?
There was a problem hiding this comment.
We can leave this as it is. It increase the readability of the resources. But in our environment charts I used the Kustomize to fill this field.
config/rbac/role_binding.yaml
Outdated
| @@ -1,5 +1,5 @@ | |||
| apiVersion: rbac.authorization.k8s.io/v1 | |||
| kind: ClusterRoleBinding | |||
| kind: RoleBinding | |||
| metadata: | |||
| labels: | |||
| app.kubernetes.io/name: clusterrolebinding | |||
There was a problem hiding this comment.
this is no longer a ClusterRoleBinding
| @@ -1,18 +1,10 @@ | |||
| --- | |||
| apiVersion: rbac.authorization.k8s.io/v1 | |||
| kind: ClusterRole | |||
| kind: Role | |||
| metadata: | |||
There was a problem hiding this comment.
Shouldn't this role also have labels connecting it with compass-manager?
Description
Limit scope for Compass Manager from cluster-wide to namespace-wide (kcp-system) privileges
Changes proposed in this pull request:
ClusterRoletoRoleRelated issue(s)
#155