Add the ability to ignore cluster scoped resources. #187
Conversation
jetstack-bot
added
the
dco-signoff: yes
|
Hi @knutejohKLP. Thanks for your PR. I'm waiting for a cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
jetstack-bot
added
needs-ok-to-test
|
/cc @JoshVanL |
jetstack-bot
added
dco-signoff: no
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: knutejohKLP The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
knutejohKLP
force-pushed
the
feature/ignore-cluster-resources
branch
from
47091c4
to
7c07ce2
Compare
jetstack-bot
added
dco-signoff: yes
…ill generally be handled seperatly in a multitenant enviornment. Signed-off-by: Knut-Erik Johnsen <knut-erik.johnsen@klp.no>
knutejohKLP
force-pushed
the
feature/ignore-cluster-resources
branch
from
7c07ce2
to
0b98cb1
Compare
Signed-off-by: Knut-Erik Johnsen <knut-erik.johnsen@klp.no>
|
/cc @SgtCoDFish |
|
/ok-to-test |
jetstack-bot
added
ok-to-test
and removed
needs-ok-to-test
|
Hey, I'm sorry but I don't have the bandwidth to review this right now. I'll raise it with the other maintainers and hopefully someone can take a look! |
| @@ -21,3 +22,4 @@ rules: | |||
| - "tokenreviews" | |||
There was a problem hiding this comment.
Does this actually work? istio-csr requires the ability to perform a TokenReview... so by not granting this permission, it surely won't be able to do anything?
There was a problem hiding this comment.
The idea here is that the deployments on the cluster level, the role and the rolebinding, could be handled outside of this deployment. We are running multiple deployments of istio and istio-csr in our clusters, but these resources can only be set once, so we can't use the helmtemplates as they are right now. For a single deployment, this should always be created, which is why the default is false on the setting.
| @@ -1,3 +1,4 @@ | |||
| {{- if not .Values.ignoreClusterResources }} | |||
| kind: ClusterRole | |||
There was a problem hiding this comment.
For this namespaced approach, you are still going to need to grant these permissions on a per namespace basis right? So keeping this ClusterRole would allow users to create namespace-scoped RoleBindings in each namespace that they want enabling for istio-csr use.
Is there a reason to not deploy the ClusterRole? Otherwise this will lead to 1) duplicated resources (everyone needs to create a RoleBinding in every namespace) and 2) uncertainty, as users won't know what permissions to grant in those Roles.
There was a problem hiding this comment.
If we leave the clusterrole, we can't use the helm charts for more than one deployment, as they will get the same name. The deployments will complain about resources that already exists. The idea is that anything on the clusterlevel is handled outside of this helm chart when running in a multitenant setup. and that the helm charts focus on a single namespace.
|
Any more feedback on this issue? |
|
/retest |
jetstack-bot
added
the
needs-rebase
|
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@knutejohKLP: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
These resources will generally be handled seperatly in a multitenant enviornment. This also gives the ability to control where the service account can create the configmaps, as clusterwide read/write on configmaps could be to broad access for security reasons.
Signed-off-by: Knut-Erik Johnsen knut-erik.johnsen@klp.no