Is it possible to run flux diff with something less than full permissions? #5212
-
|
Looks like flux diff wants to patch resources as it's doing it's job - not so much "dry-run read only"! Has anyone thought of the minimal RBAC set to get a flux diff to run? Is such a thing even possible? |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments
-
|
Kubernetes RBAC does not have support for a dry-run verb, while the operation is read-only you still need write permission. |
Beta Was this translation helpful? Give feedback.
-
|
I’m not super excited about giving limitless get/patch to my ci cd
pipeline, so what else are people doing to actually deliver a useful pull
request readout?
Also btw what would a “dry-run” verb do anyways? You can… dry run a pod,
which then results in …?? I’m confused.
…On Mon, Feb 24, 2025 at 10:16 PM Stefan Prodan ***@***.***> wrote:
Kubernetes RBAC does not have support for a dry-run verb, while the
operation is read-only you still need write permission.
—
Reply to this email directly, view it on GitHub
<#5212 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAMX6DPA75VKCSUTHNP6A32RQDDPAVCNFSM6AAAAABXZPBFR6VHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTEMZQHA4TAMI>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
|
The
A dry-run verb if that would exist, would be identical to read but given these issues in Kubernetes are from 2020, I don't think RBAC will ever change. |
Beta Was this translation helpful? Give feedback.
The
flux diffcommand requires the same permissions askubectl diff --dry-run=server, see the upstream issues about this:A dry-run verb if that would exist, would be identical to read but given these issues in Kubernetes are from 2020, I don't think RBAC will ever change.