Aggregated cluster roles for view access to SecretProviderClassPodStatus
erikgb opened this issue · comments
Describe the solution you'd like
[A clear and concise description of what you want to happen.]
Use case: As a regular namespace user I would like to track the binding between a pod and SecretProviderClass
(SecretProviderClassPodStatus
). Access to the status resource currently requires cluster-admin role or custom RBAC. I think secrets-store-csi-driver should by default allow view access to aggregates cluster roles: view, edit, admin and cluster-reader.
Anything else you would like to add:
[Miscellaneous information that will assist in solving the issue.]
Aggregated cluster roles for SecretProviderClass
were added in #836, but I don't understand why this wasn't fixed for SecretProviderClassPodStatus
at the same time....
Environment:
- Secrets Store CSI Driver version: (use the image tag): N/A
- Kubernetes version: (use
kubectl version
): N/A
This is what I think should be provisioned by default:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
rbac.authorization.k8s.io/aggregate-to-view: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
name: secretproviderclasspodstatuses-viewer
rules:
- apiGroups:
- secrets-store.csi.x-k8s.io
resources:
- secretproviderclasspodstatuses
verbs:
- get
- list
- watch