Hello! I am considering using spicedb-
# spicedb
Hello! I am considering using spicedb-operator for work. However, I have been told by our platform team that the CRD Permissions required by the custom-controller are excessive, making it difficult to install on the company's shared k8s cluster. Are there any good ways or plans to reduce the requested Permissions? (I saw the issue https://github.com/authzed/spicedb-operator/issues/291 but no one has responded yet.)
The operator only asks for permissions over its own custom resources, what is excessive about that? is the issue that those are cluster scoped rather than namespace scoped? You can see the answer from @ecordell indicating that namespace scoped permissions are not supported right now: https://discord.com/channels/844600078504951838/1208088140573708299/1208090458023002233
Thank you for answering my question! Thanks, I realized the current permission is enough for cluster wide deployment. > is the issue that those are cluster scoped rather than namespace scoped? Yes. That is the our issue. In our case, I want to deploy multiple SpiceDB cluster into single namespace without cluster wide permission. Do you have any plan to support namespace scoped permissions?
I don't recall this request coming up frequently enough to be in our radar of priorities. I'd probably defer to @ecordell our resident operator expert, since he knows better the effort required to support it
We can definitely look at supporting that if there's enough interest. Feel free to weigh in on the GH issue. Have you considered running a dedicated kube control plane for SpiceDB? This can be useful in the other direction: it keeps workloads on shared kube clusters from affecting your SpiceDB installs, which are typically more critical. RBAC only protects your cluster so much from a poorly-behaved operator, and as mentioned in the thread victor linked, the UX of single-namespace controllers can be confusing for users, so namespace support has not been high on the list (but we can change that of course)
I 👍 'ed the namespace support. 😄 Would be a great addition for busier/multi-team kube environments!