-
Notifications
You must be signed in to change notification settings - Fork 82
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Possibility to configure RBAC #24
Comments
@ONordander Trying to understand your problem. Is it the RBAC for the service account that is needed for the Job that you create by using this provider, or you are referring the RBAC for the provider itself? It would be good to give some concrete example. |
Hey @morningspace, thanks for responding. For example if I want to give the provider the permission to create secrets I can do that declaratively by creating a new ServiceAccount, however that ServiceAccount will not have the correct permissions to handle the provider objects itself e.g. |
Ah, the provider uses cc: @turkenh for any comment on that. |
I understand, I'll see if I can find any open issues in the main Crossplane repository first. |
Currently, the best solution we have is something like this: https://github.com/crossplane-contrib/provider-kubernetes/blob/main/examples/provider/config-in-cluster.yaml#L5 You can also pass an alternative SA via controller config https://doc.crds.dev/github.com/crossplane/crossplane/pkg.crossplane.io/ControllerConfig/v1alpha1@v1.6.3#spec-serviceAccountName There is also a related PR: crossplane/crossplane#2880 |
@turkenh |
Sadly crossplane/crossplane#2880 has not been merged, so it might make sense to re-open this. It would definitely be great to have! |
What problem are you facing?
I'm trying to use
provider-kubernetes
to create Kubernetes Jobs, however the RBAC settings for the used ServiceAccount won't allow it.I can specify a ServiceAccount to use but then I also need to manually add the RBAC settings for my resources as well as the CRDs from this package.
How could Crossplane help solve your problem?
Ability to somehow configure RBAC settings for the provider without having to create an extra ServiceAccount.
I suppose it would also be okay if the created ServiceAccount was deterministic (for example by specifying the name).
Then we could just add extra Roles on top of the pre-existing ones.
The text was updated successfully, but these errors were encountered: