Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[PROPOSAL] Add the capability to use RoleBindings instead of ClusterRoleBindings #831

Closed
nilushancosta opened this issue May 30, 2024 · 1 comment · Fixed by #841
Closed

[PROPOSAL] Add the capability to use RoleBindings instead of ClusterRoleBindings #831

nilushancosta opened this issue May 30, 2024 · 1 comment · Fixed by #841
Labels
enhancement New feature or request

Comments

@nilushancosta
Copy link
Contributor

What/Why

What are you proposing?

Add the capability to make the operator use RoleBindings instead of ClusterRoleBindings

What users have asked for this feature?

#702

What problems are you trying to solve?

The default behaviour of the operator's Helm chart is to create ClusterRoles and ClusterRoleBindings. But there are scenarios where the operator only needs to manage OpenSearch clusters in a single namespace. In such scenarios, RoleBindings can be used instead of ClusterRoleBindings

What is the developer experience going to be?

No new REST APIs

Are there any security considerations?

No

Are there any breaking changes to the API

No

What is the user experience going to be?

The proposal is to add a new parameter (set to false by default) in the operator's Helm value file as follows

useRoleBindings: false

If this is changed to true, RoleBindings will be created instead of ClusterRoleBindings.
Also if this is changed to true the user will need to specify the namespace where the cluster is in using the manager.watchNamespace parameter

Are there breaking changes to the User Experience?

No. Since useRoleBindings will be set to false by default, existing deployments will not break

Why should it be built? Any reason not to?

If the operator needs to manage OpenSearch cluster/s in a single namespace, there is no need to give cluster wide access to resources to the operator. Thus restricting permissions by using RoleBindings will improve security.

What will it take to execute?

Need to RoleBinding manifests to the operator's Helm chart
I can submit a PR if this proposal sounds good

Any remaining open questions?

No
@github-actions github-actions bot added the untriaged Issues that have not yet been triaged label May 30, 2024
@swoehrl-mw
Copy link
Collaborator

Hi @nilushancosta. This sounds like something that can be added (PRs are always welcome if you want to give it a shot), as long as it is designed in a way that does not break the existing behaviour.

@swoehrl-mw swoehrl-mw added enhancement New feature or request and removed untriaged Issues that have not yet been triaged labels Jun 5, 2024
@nilushancosta nilushancosta mentioned this issue Jun 8, 2024
Merged
6 tasks
@getsaurabh02 getsaurabh02 moved this from 🆕 New to Backlog in Engineering Effectiveness Board Jul 18, 2024
@github-project-automation github-project-automation bot moved this from Backlog to ✅ Done in Engineering Effectiveness Board Oct 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
Engineering Effectiveness Board
Status: ✅ Done
Milestone
No milestone
2 participants
@nilushancosta @swoehrl-mw