-
Notifications
You must be signed in to change notification settings - Fork 719
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Control associations across namespaces with ServiceAccount and RBAC #2482
Conversation
@@ -6,6 +6,12 @@ kind: ClusterRole | |||
metadata: | |||
name: elastic-operator | |||
rules: | |||
- apiGroups: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Only the cluster role of the all-in-one manifest is updated since this feature only makes sense when the operator is watching more than one namespace.
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRole | ||
metadata: | ||
name: elasticsearch-association |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you think we should pre-create this role as part of the operator manifest?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My gut feeling is that we should create roles only if there are needed but add it as an example in our documentation if the user wants to enable access control. That being said I'm happy to pre-create it if you think it's worth it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 let's not include it for now and maybe do it later depending on users feedback.
...controller/apmserverelasticsearchassociation/apmserverelasticsearchassociation_controller.go
Outdated
Show resolved
Hide resolved
It would be nice to have this verified in an E2E test, but it does not really match the current E2E test framework :/ |
Agreed, I'll create a follow-up issue to track the e2e test effort for this feature. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for the drive-by comments, I think this looks good!
...controller/apmserverelasticsearchassociation/apmserverelasticsearchassociation_controller.go
Outdated
Show resolved
Hide resolved
) | ||
|
||
type Unbinder interface { | ||
Unbind(associated commonv1.Associated) error |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like this 👍
We should have a dedicated page in the documentation (in this PR or in a follow-up one). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM once my comments above are considered, great work 👍
I did a test locally, everything seems to work as expected:
- start the operator without the rbac flag, can establish associations
- start it with the flag, removes the existing associations
- setup the correct RBAC, association established
- set a wrong
serviceAccountName
, association removed - set back a correct
serviceAccountName
, association established - set no
serviceAccountName
(default), association removed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. I think this turned out really nice. Curious to see what users make of it.
Fix #2468
TODO:
cluster_role.template.yaml