New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ensure postgresclusters are available to admin/edit/view clusterroles #49
base: main
Are you sure you want to change the base?
Conversation
@sathieu The commit message is fairly sparse. What is the rationale for this change? Similarly, I believe if we included this, we'd have to do so on the kustomize based installer too. |
5688126
to
bbafac2
Compare
@jkatz, I've added the kustomize part. I've not tested this part. I've also added a You can see more info on aggregated roles by following the included links. My usecase is to allow a user having the admin role in a namespace to be able to create a postgresql cluster. This user already has permission to create deployement, pods, ... in the namespace so this is not a privilege escalation. |
@jkatz Happy new year 🎉! Anything I can do to move this PR forward? |
@sathieu Happy New Year! 🎉 Let me discuss with a few folks around what makes sense. |
bbafac2
to
c2e79a9
Compare
@jkatz I've rebased (and resolved a conflict). ANything I can do to move this forward? |
See https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles Signed-off-by: Mathieu Parent <math.parent@gmail.com>
c2e79a9
to
d7f0c8b
Compare
@jkatz Please review (I've rebased). IMO it makes sense to allow users with acces to a namespace to have the same access to PGO resources. Quoting from doc:
|
See https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles
Maintainer edit: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles