Deploying resources from other namespaces #528
Replies: 1 comment
-
|
Hi @ThomasRasmussen. I fear this will not be possible without custom implementation. The design of the CRDs is so that users/roles must be in the same namespace as the cluster spec because it assumes the team with permissions in that namespace is responsible for all parts of an opensearch cluster. A shared responsibility model was never part of the design. You could try to implement some sort of replication controller where you let teams create user/role custom resources in their namespaces and then replicate them into the cluster namespace (with some filter/limit logic in place) so the operator can pick them up. For debugging you should also replicate status and event updates back so the teams can see what is going on. And limit the operator to only watch the namespaces with clusters, not with users/roles to avoid it getting confused. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Hi
We are setting up a managed OpenSearch cluster, and using the Operator for this. We have deployed the operator and the cluster itself in a dedicated namespace, this is working fine. However we would like to enable the users of the OpenSearch cluster to deploy ie. OpenSearchUser and OpenSearchRoles from their own namespace. I was hoping that the watchNamespaces option would enable this, but it assumes that there is a cluster available in the same namespace.
Our motivation is, that we are responsible for the actual cluster (monitoring, alerting on nodes, upgrades etc). but the customer would like to have access to deploy users etc.
In our kubernetes cluster, access to namespaces a limited, so customer does not have write access to the namespace where the OpenSearch cluster is running.
Any thoughts on how to solve this problem without too much custom hacking needed?
Beta Was this translation helpful? Give feedback.
All reactions