Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: disable manual rbac by default #1197

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

chore: disable manual rbac by default #1197

wants to merge 3 commits into from
+157 −166

Conversation

cjc7373
Copy link
Contributor

@cjc7373 cjc7373 commented Nov 14, 2024

also add patroni's policy rules

@cjc7373 cjc7373 mentioned this pull request Nov 14, 2024
Open
zjx20
zjx20 previously approved these changes Nov 14, 2024
View reviewed changes
Copy link
Contributor

@zjx20 zjx20 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Just curious, in which case should the rbacEnabled be set to true?

@cjc7373
Copy link
Contributor Author

cjc7373 commented Nov 18, 2024

It seems like rbacEnabled is used to "simulate" user defined rbac resources. @Y-Rookie What's this field designed for?

@zjx20
Copy link
Contributor

zjx20 commented Nov 18, 2024

I suggest deleting it if it's useless.

@ldming
Copy link
Collaborator

ldming commented Nov 20, 2024
edited
Loading

It seems like rbacEnabled is used to "simulate" user defined rbac resources. @Y-Rookie What's this field designed for?

In earlier versions of KubeBlokcs, it did not support the automatic creation of service accounts (SA) with specific roles for clusters. Therefore, they would be created in kbcli or helm charts. After KB started supporting this feature, in most cases, this parameter has become unnecessary.

But, to my knowledge, currently, Elasticsearch sets this parameter to true, referring to this PR apecloud/kbcli#460.

https://github.com/apecloud/kubeblocks/blob/26e2cf458382b8732d5e2ff54e3ac8b273f02272/controllers/apps/transformer_component_rbac.go#L268-L271
KubeBlocks will not create sa if probe, volume protection, and data protection are disabled at the same time.

IMO, KubeBlocks should create the cluster SA, and delete the rbacEnabled in helm chart and kbcli.

ldming
ldming previously approved these changes Nov 25, 2024
View reviewed changes
@cjc7373
Copy link
Contributor Author

cjc7373 commented Nov 25, 2024

I'll do the cleanup and remove rbacEnabled.

@cjc7373 cjc7373 marked this pull request as draft November 25, 2024 07:31
@cjc7373 cjc7373 dismissed stale reviews from ldming and zjx20 via d8060b7 November 29, 2024 08:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zjx20 zjx20 zjx20 left review comments

@ldming ldming ldming left review comments

@nayutah nayutah Awaiting requested review from nayutah

@heng4fun heng4fun Awaiting requested review from heng4fun

@free6om free6om Awaiting requested review from free6om

@wangyelei wangyelei Awaiting requested review from wangyelei

@leon-inf leon-inf Awaiting requested review from leon-inf leon-inf is a code owner

@shanshanying shanshanying Awaiting requested review from shanshanying shanshanying is a code owner

@weicao weicao Awaiting requested review from weicao

@Y-Rookie Y-Rookie Awaiting requested review from Y-Rookie Y-Rookie is a code owner

@kubeJocker kubeJocker Awaiting requested review from kubeJocker kubeJocker will be requested when the pull request is marked ready for review kubeJocker is a code owner

@iziang iziang Awaiting requested review from iziang iziang will be requested when the pull request is marked ready for review iziang is a code owner

@xuriwuyun xuriwuyun Awaiting requested review from xuriwuyun xuriwuyun will be requested when the pull request is marked ready for review xuriwuyun is a code owner

@1aal 1aal Awaiting requested review from 1aal 1aal will be requested when the pull request is marked ready for review 1aal is a code owner

@fengluodb fengluodb Awaiting requested review from fengluodb fengluodb will be requested when the pull request is marked ready for review fengluodb is a code owner

@caiq1nyu caiq1nyu Awaiting requested review from caiq1nyu caiq1nyu will be requested when the pull request is marked ready for review caiq1nyu is a code owner

@sophon-zt sophon-zt Awaiting requested review from sophon-zt sophon-zt will be requested when the pull request is marked ready for review sophon-zt is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cjc7373 @zjx20 @ldming