Can we reduce the required CustomResourceDefinitions permissions to run the MinIO operator? #441
Assignees
Comments
|
the namespace powers seems like a valid concern, I dont think we need create/delete on namespace, we can remove them |
nitisht
added a commit
that referenced
this issue
Feb 2, 2021
Also do not automatically create namespaces in Operator plugin. Fixes #441
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
I am trying to deploy to a shared cluster and I really don't feel comfortable creating a role that can delete entire namespaces or collections. Not only is it scary from a development standpoint, but it's also difficult to administrate. We intentionally locked down each user account's ability to create CRDs and now MinIO is forcing us to give one developer full-admin privileges just to get it up and running. For example, why does it need namespace creation and deletion privileges? It already expects namespaces to exist for tenants. Lets just error out if the namespace doesn't exist? Stuff like that seems heavy handed. I'm waiting for the day someone manages to delete an entirely unrelated namespace under the wrong CRD.
Describe the solution you'd like
To be honest, the less CRDs required to deploy, the easier. They might make your application easier to think about from your end, but they add another layer of complexity. I'd really prefer raw K8 deployments, but I understand that's a much bigger ask.
Describe alternatives you've considered
Alternatively, just limit the scope of these actions. Maybe only create and not delete? Lets just force an admin to remove tenants rather than giving a dev the tool to create or delete anything?
The text was updated successfully, but these errors were encountered: