fix: add custom clusterrole for ccm helm chart #1042
Conversation
Least privlage rbac permissions. Fixes hetznercloud#1004 Signed-off-by: Henrik Gerdes <[email protected]>
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #1042 +/- ##
==========================================
- Coverage 67.52% 63.80% -3.73%
==========================================
Files 23 23
Lines 3249 3249
==========================================
- Hits 2194 2073 -121
- Misses 885 1011 +126
+ Partials 170 165 -5
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Signed-off-by: Henrik Gerdes <[email protected]>
lukasmetzner
had a problem deploying
to
e2e-robot
GitHub Actions
Failure
There was a problem hiding this comment.
Hey @hegerdes, I have removed a few things, which are in the AWS CCM, but I don't see a reason to have them here.
Here are the officially required rules by the Kubernetes docs: https://kubernetes.io/docs/concepts/architecture/cloud-controller/#authorization-miscellaneous
In addition with the ConfigMaps, I don't see anything we would need otherwise.
|
Thx. Will test the suggestions again within the next days and update the PR. You use the tools in |
Yes. We use |
Signed-off-by: Henrik Gerdes <[email protected]>
|
Everything updated. My own test with ccm in hcloud deployment succeeded |
2 participants
This adds a new
ClusterRoleto the ccm helm chart and implements the least privilege principle for ccm rbac permissions.The values are mostly taken from the aws ccm and k8s docs but I added
ConfigMappermissions since hcloud ccm needs them.The following SA permissions are not strictly needed, but can be nesessary if you want to run the ccm in an none default config where each controller gets its own SA.
Fixes #1004