Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Kubernetes extension: Configure additional role policies for generation

See original GitHub issue

Description

The Kubernetes extension generates a ClusterRole based on the requirements of the Deployment (ConfigMap, Secret, CRD access…).

When building operators, there may be additional policies required. I propose to make them configurable, and would like to contribute this enhancement.

Implementation ideas

Add a new @ConfigGroup list item to the KubernetesConfig and OpenshiftConfig containing basically the same like

    /**
     * Corresponds directly to the Kubernetes {@code PolicyRule} resource.
     */
    public static final class PolicyRule {
        private final List<String> apiGroups;
        private final List<String> nonResourceURLs;
        private final List<String> resourceNames;
        private final List<String> resources;
        private final List<String> verbs;

Configuration will become a little ugly, maybe there’s a better approach:

quarkus.kubernetes.policies[0].api-groups=extensions,apps
quarkus.kubernetes.policies[0].resources=deployments,deployments/status
quarkus.kubernetes.policies[0].verbs=get,watch,list
quarkus.kubernetes.policies[1].cluster-wide=true
quarkus.kubernetes.policies[1].api-groups=apiextensions.k8s.io
quarkus.kubernetes.policies[1].resources=customresourcedefinitions
quarkus.kubernetes.policies[1].verbs=get,update

@iocanel WDYT?

Issue Analytics

  • State:open
  • Created 2 years ago
  • Comments:8 (6 by maintainers)

github_iconTop GitHub Comments

1reaction
iocanelcommented, Nov 22, 2021

@heubeck

I think that the use of arrays in quarkus configuration is not very common. So, I would also suggest the use of maps. As you mentioned the thing is that there is field in policies that would qualify as an id, but this is no biggie. We have other cases where it happens too.

1reaction
heubeckcommented, Nov 21, 2021

Best open a draft PR on Quarkus so @iocanel can have a look and comment on the implementation

As you wish: https://github.com/quarkusio/quarkus/pull/21595 😉

Thank you!

Read more comments on GitHub >

github_iconTop Results From Across the Web

Extending Kubernetes
When you extend the Kubernetes API by adding custom resources, the added resources always fall into a new API Groups. You cannot replace...
Read more >
Kubernetes extension - Quarkus
Quarkus offers the ability to automatically generate Kubernetes resources based on sane defaults and user-supplied configuration using dekorate.
Read more >
Configure IAM Permissions - ACK - GitHub Pages
If you do not want Kubernetes Pods running on that EC2 Instance to have access to IMDS, you can create a different IAM...
Read more >
Understand Azure Policy for Kubernetes clusters
To assign a policy definition to your Kubernetes cluster, you must be assigned the appropriate Azure role-based access control (Azure RBAC) ...
Read more >
Amazon EKS Kubernetes versions - AWS Documentation
If your workload is using an older client version, then you must update it. To enable a smooth migration of clients to the...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

SseEventSource does not get the close call from server after upgrading to Quarkus 2.1.0.Final or later

Next page

dev mode Startup time regression between 2.2.3.Final and 2.5.0.CR1