Bug 1805442
| Summary: | template-instance-controller can't deploy servicemonitors | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Jim Minter <jminter> |
| Component: | Templates | Assignee: | Adam Kaplan <adam.kaplan> |
| Status: | CLOSED WONTFIX | QA Contact: | XiuJuan Wang <xiuwang> |
| Severity: | low | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 4.3.0 | CC: | aos-bugs, jokerman, wzheng |
| Target Milestone: | --- | ||
| Target Release: | 4.5.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-04-03 14:44:39 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Jim Minter
2020-02-20 19:31:26 UTC
The TemplateInstance controller is intentionally limited in the types of objects it is allowed to create. Only core k8s workload resources are in the template instance controller's RBAC, and we do not intend on adding additional CRD-based resources in the future. The recommended course of action in this situation is to create a new ClusterRole and aggregate it to the `edit` and `admin` roles [1]. When the template is instantiated, the template instance controller will effectively inherit these permissions and should be able to create these resources. Quoting the article: > If you are not comfortable granting these permissions to users directly, it is not safe to grant them to the template controllers. [1] https://access.redhat.com/articles/4220601 |