need ability to specify roleRef in permissions #732
Comments
|
Hi @richm - This is possible today in OLM - you can bundle an extra RoleBinding in with your operator (not in the CSV, alongside it) as part of the "operator bundle". You can read a bit more about them here: https://github.com/operator-framework/operator-registry#manifest-format Unfortunately, community-operators doesn't currently support building operator bundles (as far as I know). Sorry for ping-ponging you back and forth, but I think this should be a feature request against community-operators to support bundles. Happy to hop in a conversation over there to further explain if it's needed. |
@ecordell can you show me an example of using an extra RoleBinding? |
|
Or are you saying that OLM will allow me to just drop in a file like this: https://github.com/openshift/cluster-logging-operator/blob/master/manifests/04-role-binding.yaml#L46 ---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: cluster-logging-operator-cluster-reader-binding
subjects:
- kind: ServiceAccount
name: cluster-logging-operator
namespace: openshift-logging
roleRef:
kind: ClusterRole
name: cluster-reader
apiGroup: rbac.authorization.k8s.ioin the directory with https://github.com/operator-framework/community-operators/tree/master/community-operators/cluster-logging alongside the other files like clusterloggings.crd.yaml? Except that it won't work because https://github.com/operator-framework/community-operators doesn't support this, it won't know how to handle the extra RoleBindings file? |
|
@richm That's correct - the issue you're running into is an issue with the pipeline that outputs catalogs, and not with OLM. With that in mind I'm going to close this issue, since I don't think there's anything that OLM can change to fix this for you. Please re-open if we missed something or can help out otherwise. |
The OLM doesn't allow us to use pre-existing roles/clusterroles, nor use aggregated roles either. So we need to define the roles explicitly. See: operator-framework/operator-lifecycle-manager#732
|
We're stumbling upon this as well :/ any other ways of solving a similar issue? we need a role-binding to a pre-existing role in the cluster. |
In the
permissionsandclusterPermissionssections, I would like to be able to specify a pre-defined role or clusterRole to be used for the permissions of an SA rather than having to expand all of the rules. For example, I would like to be able to sayrather than having to manually expand
cluster-readerand de-dup the rules (e.g. as in operator-framework/community-operators#112)The text was updated successfully, but these errors were encountered: