[feat] Kratix should warn when a Promise RBAC specifies a namespaced permissions for a cluster-wide resource #214

aclevername · 2024-08-05T10:52:36Z

If a resource is cluster wide, e.g. Destinations, you must ensure that you use a ClusterRole instead of a Role to give permissions to it. In the rbac.permissions feature this is done by setting resourceNamespace: "*", which could easily be forgotten.

Example:

            rbac:
              permissions:
              - apiGroups:
                  - platform.kratix.io
                resources:
                  - destinations
                verbs:
                  - list

this will create a Role/RoleBinding, however the Role will be useless, since it refererences a cluster-wide resource that isn't namespaced. We should emit a warning/error on validating webhook when this happens, and suggest that they change it to:

            rbac:
              permissions:
              - apiGroups:
                  - platform.kratix.io
                resources:
                  - destinations
                verbs:
                  - list
                resourceNamespace: "*"

The text was updated successfully, but these errors were encountered:

richcooper95 self-assigned this Oct 2, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[feat] Kratix should warn when a Promise RBAC specifies a namespaced permissions for a cluster-wide resource #214

[feat] Kratix should warn when a Promise RBAC specifies a namespaced permissions for a cluster-wide resource #214

aclevername commented Aug 5, 2024 •

edited

Loading

[feat] Kratix should warn when a Promise RBAC specifies a namespaced permissions for a cluster-wide resource #214

[feat] Kratix should warn when a Promise RBAC specifies a namespaced permissions for a cluster-wide resource #214

Comments

aclevername commented Aug 5, 2024 • edited Loading

aclevername commented Aug 5, 2024 •

edited

Loading