Skip to content

Create the RBAC is properly configured for service-provider-ocm #872

New issue
New issue
Open
Task
Open
Create the RBAC is properly configured for service-provider-ocm#872
Task
Labels
area/ipceiImportant Project of Common European Interestkind/tasksmall task, normally part of feature or epic
Milestone
2026-Q1
@Skarlso

Description

@Skarlso
Skarlso
opened on Feb 9, 2026

Description

The existing implementation doesn't deal with any kind of access for certain resources. It uses an ADMIN RBAC to access cluster objects:

	// TODO: define minimum set of permission required to run the init and run part of your service provider
	adminPermissions := []clustersv1alpha1.PermissionsRequest{
		{
			Rules: []rbacv1.PolicyRule{
				{
					APIGroups: []string{"*"},
					Resources: []string{"*"},
					Verbs:     []string{"*"},
				},
			},
		},
	}

This is suboptimal and is something we need to rethink. That said, because of how we deploy things we might need admin access to the cluster. Since we have no idea what type of objects the controller needs to watch or needs access to because of the dynamic nature of our deployments.

If so, it has to be VERY WELL DOCUMENTED that we need that type of access, or potentially, if people don't use that feature of ours, it needs to be configurable to some extent.

Done Criteria

  • RBAC access is refined or documented in the repository
  • If we decide that it should be optional, we need a way to configure it during deployment

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/ipceiImportant Project of Common European Interestkind/tasksmall task, normally part of feature or epic

    Type

    Task

    Projects

    OCM Backlog Board

    Status

    🆕 ToDo

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions