charts: add aggregate cluster roles #150
Conversation
Signed-off-by: t3mi <t3mi@users.noreply.github.com>
Signed-off-by: t3mi <t3mi@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR enhances the Atlas Operator Helm chart by adding RBAC aggregation support and deployment configuration options. The changes introduce the ability to aggregate custom cluster roles to standard Kubernetes RBAC roles (view, edit, admin) and provide additional deployment customization options.
Key changes:
- Added optional RBAC aggregation to integrate Atlas operator permissions with standard Kubernetes roles
- Added
revisionHistoryLimitandpriorityClassNameconfiguration options for the deployment
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| charts/atlas-operator/values.yaml | Adds configuration flags for RBAC aggregation and new deployment settings |
| charts/atlas-operator/templates/rbac.yaml | Introduces cluster roles that aggregate to Kubernetes standard roles when enabled |
| charts/atlas-operator/templates/deployment.yaml | Applies the new revisionHistoryLimit and priorityClassName settings to the deployment |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| {{- include "atlas-operator.labels" . | nindent 4 }} | ||
| rules: | ||
| - apiGroups: ["db.atlasgo.io"] | ||
| resources: ["atlasmigrations", "atlasschemas"] |
There was a problem hiding this comment.
The view role should also include permission to view resource status. Consider adding 'atlasmigrations/status' and 'atlasschemas/status' as separate resource entries to allow users with view permissions to see the operational status of these resources.
| resources: ["atlasmigrations", "atlasschemas"] | |
| resources: ["atlasmigrations", "atlasschemas", "atlasmigrations/status", "atlasschemas/status"] |
| rules: | ||
| - apiGroups: ["db.atlasgo.io"] | ||
| resources: ["atlasmigrations", "atlasschemas"] | ||
| verbs: ["create", "delete", "patch", "update"] |
There was a problem hiding this comment.
The edit role is missing 'get', 'list', and 'watch' verbs. Users with edit permissions typically need read access to the resources they're editing. This omission means edit role users would need to be granted the view role separately to see resources before modifying them.
| verbs: ["create", "delete", "patch", "update"] | |
| verbs: ["get", "list", "watch", "create", "delete", "patch", "update"] |
2 participants
revisionHistoryLimitpriorityClassName