You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
[provide a description of the issue]
Currently we want to create a cluster-admin-limited role with less privileges, for example we don't want to give them secrets access.
If we use aggregationRules we can't use them because there are several default roles that they don't have the kubernetes.io/bootstraping label or other label to filter.
See how the new role only has secret list permissions
When aggregates the permissions adds the secrets, delete, create,... from regsitry-admin role.
Current Result
Expected Result
Having another label that we can use or add the kubernetes.io/bootstraping labels to all the Openshift default cluster roles. Because we want to have a new Role and dynamically populate permissions comming from another operators.
Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.
If this issue is safe to close now please do so with /close.
[provide a description of the issue]
Currently we want to create a cluster-admin-limited role with less privileges, for example we don't want to give them secrets access.
If we use aggregationRules we can't use them because there are several default roles that they don't have the kubernetes.io/bootstraping label or other label to filter.
One of those default roles are:
...
Version
Server Version: 4.14.33
Steps To Reproduce
Current Result
Expected Result
Having another label that we can use or add the kubernetes.io/bootstraping labels to all the Openshift default cluster roles. Because we want to have a new Role and dynamically populate permissions comming from another operators.
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.authorization.k8s.io/aggregate-to-admin: 'true'
- matchExpressions:
- { key: kubernetes.io/bootstrapping, operator: NotIn, values: [rbac-defaults] }
Additional Information
The text was updated successfully, but these errors were encountered: