Add Istio permissions to cluster role #2248
Conversation
k8s-ci-robot
added
cncf-cla: yes
haines
force-pushed
the
helm-chart-cluster-role-permissions
branch
from
aceda25 to
bca8174
Compare
There was a problem hiding this comment.
Bitnami's chart has this config for Istio as well as ones for other CRs
|
yes this would be a great addition to the repo. Requesting your attention on this @Raffo |
haines
force-pushed
the
helm-chart-cluster-role-permissions
branch
2 times, most recently
from
233949a to
ae120c6
Compare
|
@njuettner could you please take a look? |
k8s-ci-robot
added
the
needs-rebase
haines
force-pushed
the
helm-chart-cluster-role-permissions
branch
from
ae120c6 to
08943af
Compare
k8s-ci-robot
removed
the
needs-rebase
|
I need this as well. Can a maintainer review this? |
|
/assign @Raffo |
|
@njuettner could you please take a look? |
k8s-ci-robot
added
the
needs-rebase
haines
force-pushed
the
helm-chart-cluster-role-permissions
branch
from
08943af to
7a1cd02
Compare
k8s-ci-robot
removed
the
needs-rebase
|
/assign @stevehipwell |
|
/unassign @Raffo |
There was a problem hiding this comment.
@haines this is a great bug fix. I'll be using it myself once it's been merged, you've probably saved me having to figure out why this chart wouldn't work with Istio (I only have it in non-Istio clusters).
I think that these RBAC rules should be conditionally created, and as we already have the information in the sources value this would be my preference. Please see suggestions.
k8s-ci-robot
added
size/S
haines
force-pushed
the
helm-chart-cluster-role-permissions
branch
from
7eb93cb to
f1225e0
Compare
|
Thanks for the suggestions @stevehipwell! I've applied them now. I particularly like the conditional creation of RBAC rules - no need to grant unused permissions. Should this also be applied to the other sources that already have permissions in the cluster role (services, ingresses, pods, and nodes)? I can do this as part of this PR, or create a follow-up if you would prefer. |
|
/assign @Raffo |
haines
force-pushed
the
helm-chart-cluster-role-permissions
branch
from
f1225e0 to
e46c48f
Compare
k8s-ci-robot
added
approved
|
@stevehipwell now that you're an approver in the chart owners file, are you able to merge this? |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: agilgur5, haines, stevehipwell The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@Raffo could you do the lgtm when this finishes CI? |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
@Raffo the chart release action failed again due to |
|
@Raffo the item to be appended to - annotations:
artifacthub.io/changes: |
- kind: changed
description: "Update image to v0.10.1"
apiVersion: v2
appVersion: 0.10.1
description: ExternalDNS synchronizes exposed Kubernetes Services and Ingresses with
DNS providers.
home: https://github.com/kubernetes-sigs/external-dns/
icon: https://github.com/kubernetes-sigs/external-dns/raw/master/img/external-dns.png
keywords:
- kubernetes
- external-dns
- dns
maintainers:
- email: steve.hipwell@gmail.com
name: stevehipwell
name: external-dns
sources:
- https://github.com/kubernetes-sigs/external-dns/
type: application
urls:
- https://github.com/kubernetes-sigs/external-dns/releases/download/external-dns-helm-chart-1.4.1/external-dns-1.4.1.tgz
version: 1.4.1 |
|
I removed that check multiple times and left literally no protection. I believe there is some job that sets it, likely the jobs owned by the kubernetes-sigs org. Can you try reaching out in the CNCF slack to see if we can get that removed for that particular branch? I will do the manual edit in the meantime. |
|
@Raffo do you have a suggestion for channel? |
|
@stevehipwell I would try |
|
@Raffo kubernetes/test-infra#24222 should fix the issue, but the protection might need manually removing after it's been merged. |
|
@Raffo I don't think you added the release entry to index.yaml and just modified the timestamp. Could you add the entry and bump the timestamp and see if that publishes the chart? |
|
@stevehipwell the entry you posted seems the same to one that's already there? |
|
@stevehipwell oh sorry, I didn't see the diff, I can add it then. |
|
@Raffo no worries, hopefully this will be the last time! |
|
Done! |
|
@Raffo I can confirm that the chart is now published. |
Description
Add the permissions shown here to the cluster role created by the Helm chart, so that it can work with Istio.
Checklist
Unit tests updatedEnd user documentation updated