-
Notifications
You must be signed in to change notification settings - Fork 591
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
KIC only keeps needed RBAC role and bindings in the cluster #1718
Comments
We'd need to grant RBAC management permissions to the new ServiceAccount for it to handle this automatically. I don't think we'd want to for a one-off task, given that those are a pretty powerful. Instead, I suggest that we just provide the commands to clear out the old resources:
|
Yes, those resource names/namespace are the same from 1.3 to 2.0, need ensure only deleted 1.3 ones. |
Ah, the SA is actually the same, but the roles/bindings aren't: https://gist.github.com/rainest/7188f056bcf06226066bb894ea236893 So instead, just:
|
Closing as stale. Let's re-open if we determine there's any followup needed here. |
Is there an existing issue for this?
Problem Statement
The RBAC role names and bindings do differ between 1.x and 2.x. After upgrade from 1.x to 2.x, will
leave the now-unused 1.x role and binding around. They should be deleted.
Proposed Solution
Propose a prepare function within 2.x controller, which basically remove all non-used (1.x) RBAC role names and bindings, or any other known-unneeded resources before KIC ready for work. Or put it another word, only keep 2.x required RBAC role in the cluster.
Additional information
No response
Acceptance Criteria
The text was updated successfully, but these errors were encountered: