Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(kong): add RBAC rules for listing namespaces when gateway API is detected #974

Merged
merged 2 commits into from
Dec 13, 2023

Conversation

pmalek
Copy link
Member

@pmalek pmalek commented Dec 12, 2023

What this PR does / why we need it:

This adds RBAC rules for listing namespaces. There's not way to detect if user has objects from particular API group present in the cluster so this can only be conditional on the presence of Gateway API CRDs in the cluster.

This could potentially be added (by refactoring) to

- apiGroups:
- ""
resources:
- configmaps
- pods
- secrets
- namespaces
verbs:
- get
but KIC doesn't need to list namespaces when users do not use Gateway API (and specifically namespace selectors).

Related controller-runtime issue describing why we need those permissions: kubernetes-sigs/controller-runtime#1156

Which issue this PR fixes

Fixes #790

Special notes for your reviewer:

Checklist

[Place an '[x]' (no spaces) in all applicable fields. Please remove unrelated fields.]

  • PR is based off the current tip of the main branch.
  • Changes are documented under the "Unreleased" header in CHANGELOG.md
  • New or modified sections of values.yaml are documented in the README.md
  • Commits follow the Kong commit message guidelines

@pmalek pmalek self-assigned this Dec 12, 2023
@pmalek pmalek force-pushed the add-namespace-list-rbac-rules branch from 940bcdc to 41cbeac Compare December 12, 2023 15:17
@pmalek pmalek force-pushed the add-namespace-list-rbac-rules branch from 41cbeac to f412d1e Compare December 12, 2023 15:18
@pmalek pmalek marked this pull request as ready for review December 12, 2023 15:18
@pmalek pmalek requested a review from a team as a code owner December 12, 2023 15:18
@pmalek pmalek requested a review from czeslavo December 12, 2023 16:53
@pmalek pmalek merged commit e2f4d3a into main Dec 13, 2023
23 checks passed
@pmalek pmalek deleted the add-namespace-list-rbac-rules branch December 13, 2023 10:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Gateway ClusterRole needs namespace permission
2 participants