Skip to content
This repository has been archived by the owner on Nov 1, 2022. It is now read-only.

There will be changes to permissions of the default service account in 1.6 #400

Closed
errordeveloper opened this issue Jan 24, 2017 · 10 comments

Comments

@errordeveloper
Copy link
Contributor

See weaveworks/scope#2149 for details.

@paulbellamy
Copy link
Contributor

@errordeveloper any details on the intended changes anywhere?

@errordeveloper
Copy link
Contributor Author

errordeveloper commented Feb 6, 2017 via email

@errordeveloper
Copy link
Contributor Author

errordeveloper commented Feb 6, 2017

From talking to @luxas, I figure we will need to create some RBAC API object from the launch generator. There is code in kubeadm with some examples of such kinds of object. I suppose from Flux's perspective, we would want to ensure that user at least sees a descriptive error message, when Flux cannot access the API as it currently expects.

@errordeveloper
Copy link
Contributor Author

Also, there also a problem that RBAC goes from Alpha to Beta, namely RBAC for rules for v1.5 won't have the same apiVersion then the once for v1.6.

@liggitt
Copy link

liggitt commented Feb 27, 2017

both alpha and beta APIs exist in 1.6, and a role created with v1alpha1 will also be accessible from the v1beta1 API

@errordeveloper
Copy link
Contributor Author

@liggitt thanks very much!

@errordeveloper
Copy link
Contributor Author

errordeveloper commented Mar 21, 2017

I need a list of permissions that Flux requires, like what we have for Net, any chance someone could look into it?

@squaremo
Copy link
Member

Presently, we need:

  • list, get Namespaces
  • list, get Services
  • list, get, apply Deployments
  • list, get, create, delete ReplicationControllers

I have guessed some actions / objects; we'll need to test them out of course.

@errordeveloper
Copy link
Contributor Author

list, get, apply Deployments

I think apply translates to create and update

@errordeveloper
Copy link
Contributor Author

This should had be closed a while ago, however it'd be good to refine permissions we ask for – #850.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants