Comments (7)
Hi @kirreen,
This is a little clunky and poorly documented at the moment.
Perhaps the best approach would be for the operator to create the required service account and role binding on cluster creation (thoughts @owainlewis?).
Prior to that being implemented you can set a custom namespace when installing via helm using --set operator.namespace=my-namespace
. That will install the operator into that namespace, create the service account and role binding in the desired namespace, and allow you to create clusters in that namespace.
Alternatively, you can create the service accont and role binding manually for individual namespaces as follows (presumes the mysql operator was installed global mode):
$ cat <<EOF | kubectl create -f -
apiVersion: v1
kind: ServiceAccount
metadata:
name: mysql-agent
namespace: my-namespace
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: mysql-agent
namespace: my-namespace
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: mysql-operator
subjects:
- kind: ServiceAccount
name: mysql-agent
namespace: my-namespace
EOF
from mysql-operator.
Thanks, creating the serviceaccount and rolebinding in each new namespace is closer to what I wanted for my use case.
from mysql-operator.
why do the mysql pod need to be run under the mysql-agent service account?
also the mysql-agent service account is give the mysql-operator role which is very powerful:
rules:
- apiGroups:
- "*"
resources:
- "*"
verbs:
- "*"
this would be unacceptable in any realistic enterprise deployment. Why is this needed?
I think the mysql operator should be able to deploy a mysql cluster in any namespace by default, so the mysql-agent sa (if needed) should be created when the mysql cluster is requested.
from mysql-operator.
Agree wholeheartedly and certainly very high up on the priority list. What we've got currently RBAC/SA wise is just a first pass at getting something working and certainly needs to be tied down for a production deployment.
The mysql-agent doesn't need the same privialages as the mysql-operator. We'll need to add a separate ClusterRole. We've discussed creating the SA on cluster creation, however, that would require the operator to have a superset of the permissions that the mysql-agent requires voilating the principle of least privilage. I'm not completely sold either way though as the operator currently does require a superset of the permissions that the agent requires and from a UX perspective creating the SA is the more arractive option.
from mysql-operator.
@prydie allowing the operator to create SA is not a good idea. IMHO, the best approach here is for SA (for agent and cluster) to be created by k8s admin and specified in spec.serviceAccount
in MySQLCluster
resource. Creating SA and binding it to a role is a super simple operation so the UX experience will not be impacted too much by this. At the same time this aproach, it is very elastic from a security point of view.
@raffaelespazzoli here are my RBAC policies, with separated roles for mysql-agent
and mysql-operator
.
https://gist.github.com/gites/d7ce470e36a5d43259b6e31f23d46e89
from mysql-operator.
@prydie @gites I think the mysql-operator
role should be a ClusterRole
so that it can operate on all the namespaces.
With regard to the mysql-agent
role, can you make an example of why so many permissions are needed?
The general expectations from the opetrator pattern is that the created pods will be able to run with the default service account, which means with basically no permissions against the Kubernetes API. After all these are the mysql pods and ancillary pods, why do they need to access the Kubernetes API?
from mysql-operator.
Documented here now: https://github.com/oracle/mysql-operator/blob/master/docs/tutorial.md#create-a-simple-mysql-cluster
from mysql-operator.
Related Issues (20)
- Use MYSQL 5.6 HOT 5
- How can I run mysql-operrator release01 and mysql-operator latest at the same cluster? HOT 1
- Allow to add image pull secret
- support for kubernetes 1.16+ HOT 3
- mysql-operator pod "image pull backoff" HOT 1
- Primary Key
- mysql-operator failed when installing to kubernetes 1.16.x HOT 4
- Can this operator be used for multi cluster service mesh (e.g. istio)?
- Failed to list *v1.PartialObjectMetadata: the server could not find the requested resource HOT 1
- Should upgrade Docker base image to oraclelinux:7-slim
- How enable SSL connection for existing cluster?
- Is this project abandoned? HOT 10
- mysql-operator HOT 5
- sed: couldn't open temporary file /etc/seduRpjvl: Permission denied
- Mysql operator throwing errors HOT 2
- Cannot create mysql cluster on k8s v1.10.11
- Please add mysql operator support for MySQL 8.0
- mysql-operator image pull issue
- Keep up the good work
- create Cluster kind with yaml,but there are no pod
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from mysql-operator.