Aggregated cluster roles for view access to SecretProviderClassPodStatus #1281
Labels
kind/feature
Categorizes issue or PR as related to a new feature.
Comments
erikgb
added
the
kind/feature
|
This is what I think should be provisioned by default: apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
rbac.authorization.k8s.io/aggregate-to-view: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
name: secretproviderclasspodstatuses-viewer
rules:
- apiGroups:
- secrets-store.csi.x-k8s.io
resources:
- secretproviderclasspodstatuses
verbs:
- get
- list
- watch |
3 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the solution you'd like
[A clear and concise description of what you want to happen.]
Use case: As a regular namespace user I would like to track the binding between a pod and
SecretProviderClass(SecretProviderClassPodStatus). Access to the status resource currently requires cluster-admin role or custom RBAC. I think secrets-store-csi-driver should by default allow view access to aggregates cluster roles: view, edit, admin and cluster-reader.Anything else you would like to add:
[Miscellaneous information that will assist in solving the issue.]
Aggregated cluster roles for
SecretProviderClasswere added in #836, but I don't understand why this wasn't fixed forSecretProviderClassPodStatusat the same time....Environment:
kubectl version): N/AThe text was updated successfully, but these errors were encountered: