Hello! I am considering using spicedb-
# spicedba
a_r_g_v
02/20/2024, 8:54 AMHello! I am considering using spicedb-operator for work. However, I have been told by our platform team that the CRD Permissions required by the custom-controller are excessive, making it difficult to install on the company's shared k8s cluster. Are there any good ways or plans to reduce the requested Permissions?
(I saw the issue https://github.com/authzed/spicedb-operator/issues/291 but no one has responded yet.)
v
vroldanbet
02/20/2024, 9:52 AMThe operator only asks for permissions over its own custom resources, what is excessive about that? is the issue that those are cluster scoped rather than namespace scoped?
You can see the answer from @ecordell indicating that namespace scoped permissions are not supported right now:
https://discord.com/channels/844600078504951838/1208088140573708299/1208090458023002233
a
a_r_g_v
02/20/2024, 2:06 PMThank you for answering my question!
Thanks, I realized the current permission is enough for cluster wide deployment.
> is the issue that those are cluster scoped rather than namespace scoped?
Yes. That is the our issue. In our case, I want to deploy multiple SpiceDB cluster into single namespace without cluster wide permission. Do you have any plan to support namespace scoped permissions?
v
vroldanbet
02/20/2024, 3:30 PMI don't recall this request coming up frequently enough to be in our radar of priorities. I'd probably defer to @ecordell our resident operator expert, since he knows better the effort required to support it
e
ecordell
02/20/2024, 3:37 PMWe can definitely look at supporting that if there's enough interest. Feel free to weigh in on the GH issue. Have you considered running a dedicated kube control plane for SpiceDB? This can be useful in the other direction: it keeps workloads on shared kube clusters from affecting your SpiceDB installs, which are typically more critical.
RBAC only protects your cluster so much from a poorly-behaved operator, and as mentioned in the thread victor linked, the UX of single-namespace controllers can be confusing for users, so namespace support has not been high on the list (but we can change that of course)
r
rektide
02/20/2024, 10:35 PMI 👍 'ed the namespace support. 😄 Would be a great addition for busier/multi-team kube environments!
3 Views