Minimum access needed to deploy the RMQ cluster operator to Openshift

[pivotal-robert-mcmillion2]

There are users who deploy the RMQ cluster operator to Openshift. Under regular k8s environments, users would have cluster-admin access. However, Openshift has unique security features and some operators may not want to give cluster-admin access to developers.

Users would like to know: What is the minimum access needed in Openshift to deploy the RMQ cluster operator?

Second part to the question: Is there a way to separate the resources that need cluster-wide access from the resources that need only namespace access.

Can we answer these questions in the documentation.

[Zerpet]

Users would like to know: What is the minimum access needed in Openshift to deploy the RMQ cluster operator?

The manifest used to deploy the Operator requires permissions to create/update the following objects:

• Namespace (cluster-scope)
• Custom Resource Definition (cluster-scope)
• Service Account (namespaced)
• Role (namespaced)
• Role Binding (namespaced)
• Cluster Role (cluster-scope)
• Cluster Role Binding (cluster-scope)
• Deployment (namespaced)

Objects that are namespaced are deployed inside rabbitmq-system namespace.

Second part to the question: Is there a way to separate the resources that need cluster-wide access from the resources that need only namespace access.

How would you "separate" those resources? By splitting them into different files? What would be the purpose of this?

Can we answer these questions in the documentation.

I haven't seen this sort of information in other operators (e.g. jaeger operator). Since you are installing a new "service" to the cluster, it is a given that you will have access to a privileged user (not necessarily the almighty admin user).

[Zerpet]

I will convert this issue to a GitHub discussion. Currently GitHub will automatically close and lock the issue even though your question will be transferred and responded to elsewhere. This is to let you know that we do not intend to ignore this but this is how the current GitHub conversion mechanism makes it seem for the users :(