-
Notifications
You must be signed in to change notification settings - Fork 74
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Replace ClusterRole with Role only for posthog namespace #632
base: main
Are you sure you want to change the base?
Conversation
👋 @SuperTux88 and thank you for your contribution! We currently vendor everything in |
d36a778
to
3d69ee7
Compare
Thanks for your comment, I didn't know about this script. I also updated the script now to use |
3d69ee7
to
f4cb70b
Compare
This replaces the `ClusterRole` with a `Role` only for posthog namespace. If the clickhouse-operator is only deployed into a single namespace, it only needs access to this namespace and not the whole cluster.
f4cb70b
to
5934470
Compare
@@ -18,13 +18,13 @@ TMP_FOLDER="$(mktemp -d)" | |||
trap 'rm -rf -- "$TMP_FOLDER"' EXIT | |||
|
|||
CLICKHOUSE_OPERATOR_TAG="0.18.4" | |||
URL="https://raw.githubusercontent.com/Altinity/clickhouse-operator/${CLICKHOUSE_OPERATOR_TAG}/deploy/operator/clickhouse-operator-install-template.yaml" | |||
REPO_URL="https://github.com/Altinity/clickhouse-operator.git" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is this needed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because running cat-clickhouse-operator-install-yaml.sh
requires multiple template files, so instead of downloading all of them separately, it's easier to just clone the repo and have everything that is required there.
Description
According to Altinity/clickhouse-operator#994 (comment) it isn't required to give clickhouse-operator permissions for the whole cluster if the clickhouse-operator is only deployed into a single namespace, which is the case for PostHog. So it's better for security reasons to only give the permissions which are required and not just to everything.
Type of change
How has this been tested?
Unit tests and installation in our cluster.
Checklist