Uploaded image for project: 'Ansible Automation Platform RFEs'
  1. Ansible Automation Platform RFEs
  2. AAPRFE-1248

Installation of AAP namespace-scoped should not require cluster-scoped permissions

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      1. What is the nature and description of the request?
        AAP today can be installed cluster or namespace-scoped according to Chapter 2. Installing the Red Hat Ansible Automation Platform operator on Red Hat OpenShift Container Platform. When using namespace-scoped, it's expected that it also works with Allowing non-cluster administrators to install Operators which unfortunately is not the case, because ClusterRole resources as well as ClusterRoleBindings are being created. Meaning the designated serviceAccount will require cluster-scoped permissions, which is not acceptable for many enterprise environment. Also without the permissions granted an error such as error creating clusterrole aap-operator.v2.4.0-0.1711590540-6ddd6b48b6: clusterroles.rbac.authorization.k8s.io is forbidden: User "system:serviceaccount:scoped:scoped" cannot create resource "clusterroles" in API group "rbac.authorization.k8s.io" at the cluster scope is reported during installation.
      1. Why does the customer need this? (List the business requirements here)
        Running OpenShift Container Platform 4 in large enterprise aims to run always with the least privileges required and hence will limit namespace-scoped activity as best as they can. With Allowing non-cluster administrators to install Operators it's even possible to grant permissions for namespace administrators to install namespace-scoped Operators. It though is expected that those Operators don't rely on cluster-scoped resources as otherwise the installation process won't work and falls back to the administrator of the OpenShift Container Platform 4 - Cluster. In managed service offering this is not desired and it's therefore requested to have the namespace-scoped installation done in a way that does not require cluster-scoped permissions.
      1. How would you like to achieve this? (List the functional requirements here)
        Generally the tokenreviews and subjectaccessreviews are covered via system:auth-delegator meaning there is no need to create ClusterRole for that purpose. Instead, RoleBinding towards that ClusterRole would be required. While still a cluster-scoped task it might be something that can be solved one or the other way (via instructions or similar as part of the preparation for the namespaced-scoped installation).
      1. List any affected known dependencies: Doc, UI etc..
        Just the AAP-Operator and the Bundle used to install it namespace-scoped.
      1. Github Link if any
        N/A

            chadwickferman Chad Ferman
            rhn-support-sreber Simon Reber
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: