Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] RabbitMQ usiing cmpd.spec.policyRules to specify PlicyRule required to start the clusterl #1329

Open
shanshanying opened this issue Dec 16, 2024 · 1 comment
Open

[BUG] RabbitMQ usiing cmpd.spec.policyRules to specify PlicyRule required to start the clusterl #1329

shanshanying opened this issue Dec 16, 2024 · 1 comment
Assignees
@shanshanying

Comments

@shanshanying
Copy link
Contributor

instead of create SA and Rolebing for each RabbigMQ Cluster on creating, we should specify the rules in rabbitmq cmpd explicitly.

GROUP:      apps.kubeblocks.io
KIND:       ComponentDefinition
VERSION:    v1

FIELD: policyRules <[]Object>


DESCRIPTION:
    Defines the namespaced policy rules required by the Component.


    The `policyRules` field is an array of `rbacv1.PolicyRule` objects that
    define the policy rules
    needed by the Component to operate within a namespace.
    These policy rules determine the permissions and verbs the Component is
    allowed to perform on
    Kubernetes resources within the namespace.


    The purpose of this field is to automatically generate the necessary RBAC
    roles
    for the Component based on the specified policy rules.
    This ensures that the Pods in the Component has appropriate permissions to
    function.


    Note: This field is currently non-functional and is reserved for future
    implementation.


    This field is immutable.
    PolicyRule holds information that describes a policy rule, but does not
    contain information
    about who the rule applies to or which namespace the rule applies to.

FIELDS:
  apiGroups	<[]string>
    APIGroups is the name of the APIGroup that contains the resources.  If
    multiple API groups are specified, any action requested against one of
    the enumerated resources in any API group will be allowed. "" represents the
    core API group and "*" represents all API groups.

  nonResourceURLs	<[]string>
    NonResourceURLs is a set of partial urls that a user should have access to.
    *s are allowed, but only as the full, final step in the path
    Since non-resource URLs are not namespaced, this field is only applicable
    for ClusterRoles referenced from a ClusterRoleBinding.
    Rules can either apply to API resources (such as "pods" or "secrets") or
    non-resource URL paths (such as "/api"),  but not both.

  resourceNames	<[]string>
    ResourceNames is an optional white list of names that the rule applies to.
    An empty set means that everything is allowed.

  resources	<[]string>
    Resources is a list of resources this rule applies to. '*' represents all
    resources.

  verbs	<[]string> -required-
    Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in
    this rule. '*' represents all verbs.
@shanshanying shanshanying self-assigned this Dec 16, 2024
@shanshanying
Copy link
Contributor Author

shanshanying commented Dec 17, 2024
edited
Loading

Add polices to CMPD when the feature is suported in KB.

  policyRules:
  - apiGroups:
    - ""
    resources:
    - endpoints
    verbs:
    - get
  - apiGroups:
    - ""
    resources:
    - events
    verbs:
    - create

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@shanshanying shanshanying

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@shanshanying