[Story] Look into admission webhook as alternative to ClusterCryostat #583
Assignees
Labels
breaking change
This change (potentially) breaks API compatibility and requires corresponding changes elsewhere
feat
New feature or request
Comments
ebaron
added
feat
2 tasks
ebaron
changed the title
|
Consider also using the webhook to check for any potential naming conflicts across target namespaces. |
|
Another possibility to avoid name conflicts is to use |
|
Yet another possibility is to not rely on the names of objects but to use labels or annotations to indicate which CR owns them, and then use a List instead of Get operation. |
7 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It would be nice for Cryostat 3.0 if we could combine the Cryostat and ClusterCryostat APIs. One possibility is keeping the namespaced Cryostat CRD and using a validating admission webhook:
https://sdk.operatorframework.io/docs/building-operators/golang/webhook/#1-validating-admission-webhook
We could add a targetNamespaces field to the Cryostat instance. If possible, the webhook would use the user info the AdmissionRequest to do an authorization check against the target namespaces (e.g. can user X create a Cryostat in namespaces Y, Z).
There would still be potential for role binding name conflicts to account for as we already deal with between the ClusterCryostat and Cryostat APIs.
The text was updated successfully, but these errors were encountered: