-
Notifications
You must be signed in to change notification settings - Fork 296
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Typo in CAPV controller manager ClusterRole label selector #2283
Comments
Overall sounds good to me. Can we have both labels at the same time? I was looking at the CAPV repo and didn't fine a role with permissions with the "capv. infrastucture.cluster.x-k8s.io/aggregate-to-manager" label. Can you provide some context around how this is used? |
The ProviderServiceAccount CR when reconciled, generates a service account in the workload cluster with permissions specified via a set of RBAC rules. |
Sounds good to me! |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
Hey @srm09 , Thanks for raising this Issue. |
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
/remove-lifecycle rotten |
There are two occurrences for the wrong label
To fix the issue we should propably do a multi-step approach with multiple phases:
Alternative approachThe alternative approach would be to just fix the string in both places. This would add risk to existing users, if they created an additional ClusterRole which references the |
Before proceeding here with an implementation, I think we need consensus on if the alternative approach is okay (because it would be easier) or if we have to go down the long road. Note: the above needs a review if I missed something here. |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale @sbueringer / @fabriziopandini : I propose to take the safe path and:
|
Sounds good to me (cc @zhanggbj PTAL to figure out what our options are for where we use CAPV (not sure how the CAPV manifests are used there, maybe we can just directly use the new label there)) |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
/kind bug
What steps did you take and what happened:
I was looking at the aggregated role that CAPV uses for the controller manager. It specifically uses that to allow provider service account controller to be able to create roles/role bindings with extra RBAC permissions that the ones granted to the manager for normal operation.
It uses a ClusterRole with label selector
capv.infrastucture.cluster.x-k8s.io/aggregate-to-manager: "true"
. As you can see there is a typo in infrastructure.What did you expect to happen:
The label selector should not have the typo. I'd propose for it to be replaced with a newer label selector
capv.infrastructure.cluster.x-k8s.io/aggregate-to-manager: "true"
(without the typo) and the label selector with the typo to be deprecated and eventually phased out in favor of the newer one.Anything else you would like to add:
For a few releases, CAPV should support both and release note the new label selector as well as the deprecation of the existing one with the date probable schedule of the deletion.
Environment:
kubectl version
):/etc/os-release
):The text was updated successfully, but these errors were encountered: