[GEN-2110]: update RBAC permissions for UI #2058
Conversation
There was a problem hiding this comment.
Thanks ben, really love the comments you've added to explain why each permission is used.
Also great that you merged few permissions into one to make it more compact and readable.
Left few more suggestions for additional improvement we can apply - to have minimal permissions, and ask for only what we need and use. this can help mitigate future bugs and looks better in security reviews.
The permissions modified here are for installing odigos with cli. for helm, we maintain these permissions in another directory which we currently need to sync manually. you can run kubectl get role -n odigos-system odigos-ui -o yaml and copy it (with minor changes to the metadata) to sync the helm template as well (do it also for clusterrole).
To test your changes, you can uninstall odigos and then run make helm-install from odigos root directory.
|
Thanks @blumamir |
This pull request includes significant updates to the role and cluster role definitions in the
cli/cmd/resources/ui.gofile. The changes primarily involve refining the permissions for various resources to better align with the required operations.Changes to Role and ClusterRole Definitions:
cli/cmd/resources/ui.go: Updated theNewUIRolefunction to refine the permissions for accessingconfigmaps,secrets, andodigos.ioresources. This includes adding comments to clarify the necessity of each permission set.cli/cmd/resources/ui.go: Updated theNewUIClusterRolefunction to refine the permissions for accessingnamespaces,services,pods,replicasets, andodigos.ioresources. Comments were added to explain the purpose of each permission set.