document ClusterRole Secret access #273
Comments
|
Hi @sepich , Thanks for raising the issue.
|
|
For the rbac query, We will raise a PR to remove the rule. Do you want to discuss 2nd and 3rd query? Were you able to disable snapshot crd? |
|
You only removed Secrets from the first ClusterRole, but they are still in the second: And why does CSI driver needs permission to Services? |
|
@sepich , Thanks for replying. We will look into these rules. Would you mind raising a PR with all changes that you are suggesting. Moreover, Have you considered using Mayastor for your storage deployment. Its more actively developed. Its faster , Completely written in rust, Uses faster Nvme Tcp stack. You could find more information here if you are interested. |
Describe the problem/challenge you have
We are investigating migration to your project from
metal-stack/csi-driver-lvm.Unfortunately with more features it seems also comes more complexity, and we cannot find reasons for that:
Most important question is why do you need permission to read all cluster Secrets?
lvm-localpv/deploy/helm/charts/templates/rbac.yaml
Line 18 in db17d08
We cannot find any mentions for this in docs, and in go code
Another thing which seems poorly documented is why do you need custom CRDs?
Putting aside snapshots, which we do not use. What kind of problem do you solve with
lvmnodes.local.openebs.ioandlvmvolumes.local.openebs.io? Why do you need separate controller and state, which can just be stored directly on nodes.Describe the solution you'd like
It is nice you have ability to disable
crd.volumeSnapshotin your helm chart.Would be nice to also have ability to disable Secrets permissions and the rest of CRD, and clearly understand what would it break.
Thank you.
The text was updated successfully, but these errors were encountered: