Investigate if we can mandate RBAC rules for the TA in webhooks #2426
Assignees
Labels
Comments
jaronoff97
added
enhancement
|
@jaronoff97 - For this issue, instead of checking for the permissions, will it make sense to create the required permissions using the controller that creates the target allocator deployment? |
|
Right now, I'm not sure we want to automate that creation if a user doesn't explicitly state they want it. I've made some progress on this though, and it is possible for us to check permissions for a service account. I hope to have a PR up by EOW to address this. This is similar to the discussion in this comment. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Component(s)
operator
Is your feature request related to a problem? Please describe.
Prior to the merging of #2328, we want to ensure that we don't break any existing by checking in a webhook if they have the necessary RBAC rules for the TA to function.
Describe the solution you'd like
In the case they do, have the necessary permission, let it pass, if not, we can either block it OR see if we can downgrade the image for the TA to a version that doesn't require the permission in the mutating webhook.
Describe alternatives you've considered
No response
Additional context
No response
The text was updated successfully, but these errors were encountered: