Description
When deploying FlowFuse into a shared Kubernetes cluster, the helm chart currently requires cluster-wide RBAC permissions. Customers running shared clusters need the ability to scope FlowFuse's permissions to a single namespace.
Customer context:
- Deploying into a shared internal cluster, not a dedicated FlowFuse cluster
- Need least-privilege RBAC — FlowFuse should only have write access to its own namespace
- Current RBAC footprint is too broad for their security requirements
Ask:
- Document (or implement) how to configure FlowFuse helm chart for namespace-scoped RBAC
- Clarify which permissions are actually required and whether a Role/RoleBinding can replace ClusterRole/ClusterRoleBinding
Expected outcome:
Customer can deploy FlowFuse in a shared cluster without granting cluster-wide permissions.
Description
When deploying FlowFuse into a shared Kubernetes cluster, the helm chart currently requires cluster-wide RBAC permissions. Customers running shared clusters need the ability to scope FlowFuse's permissions to a single namespace.
Customer context:
Ask:
Expected outcome:
Customer can deploy FlowFuse in a shared cluster without granting cluster-wide permissions.