feat: allow the service account to be in a different namespace than t… #1952
Conversation
…he rolebinding for 'policy {add,remove}-[cluster]-role-to-user'
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: machine424 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
| @@ -178,6 +179,7 @@ func NewCmdAddRoleToUser(f kcmdutil.Factory, streams genericiooptions.IOStreams, | |||
| cmd.Flags().StringVar(&o.RoleBindingName, "rolebinding-name", o.RoleBindingName, "Name of the rolebinding to modify or create. If left empty creates a new rolebinding with a default name") | |||
| cmd.Flags().StringVar(&o.RoleNamespace, "role-namespace", o.RoleNamespace, "namespace where the role is located: empty means a role defined in cluster policy") | |||
| cmd.Flags().StringSliceVarP(&o.SANames, "serviceaccount", "z", o.SANames, "service account in the current namespace to use as a user") | |||
| cmd.Flags().StringVar(&o.SANamespace, "serviceaccount-namespace", o.SANamespace, "namespace where the service account is located: empty means the default namespace") | |||
There was a problem hiding this comment.
From user point of view, it is already very hard for users to use these commands (e.g. adm policy *) as the current flag set (and their interactions between each other) is already hard to understand. I'd not prefer adding a new flag that makes the case worse.
$ oc project test-proj
$ oc policy add-role-to-user view user1
can still be used to modify the default namespace as a workaround.
There was a problem hiding this comment.
As I tried to explain in https://issues.redhat.com/browse/RFE-6272, the rolebinding namespace will be test-proj but the service account is forced to be from that same namespace, one may want it to be from another namespace and kube api allows that.
I don't think the workaround can help with that.
I think with more doc and examples we could improve the UX, like we do for other commands with "too many" flags.
use case:
I have a predefined Role in openshift-foo and I want to assign it to a serviceacount in namespace bar.
The Role and RoleBinding should both be in openshift-foo (kube api requirement) but I don't want the serviceacount to be in openshift-foo.
|
@machine424: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
Forgot about |
…he rolebinding for 'policy {add,remove}-[cluster]-role-to-user'