Skip to content

feat: Move to Role from ClusterRole#913

Open
hardillb wants to merge 4 commits into
mainfrom
remove-cluster-rollbinding
Open

feat: Move to Role from ClusterRole#913
hardillb wants to merge 4 commits into
mainfrom
remove-cluster-rollbinding

Conversation

@hardillb
Copy link
Copy Markdown
Contributor

@hardillb hardillb commented May 22, 2026

fixes FlowFuse/flowfuse#7235

Description

This reduces the scope of the permissions granted to the Forge app to just the ProjectNamespace

Related Issue(s)

FlowFuse/flowfuse#7235

Checklist

  • I have read the contribution guidelines
  • Suitable unit/system level tests have been added and they pass
  • Documentation has been updated
    • Upgrade instructions
    • Configuration details
    • Concepts
  • Changes flowforge.yml?
    • Issue/PR raised on FlowFuse/helm to update ConfigMap Template
    • Issue/PR raised on FlowFuse/CloudProject to update values for Staging/Production
  • Link to Changelog Entry PR, or note why one is not needed.

Labels

  • Includes a DB migration? -> add the area:migration label

@hardillb
Move to Role from ClusterRole
87679f1 
fixes FlowFuse/flowfuse#7235

This reduces the scope of the permissions granted to the Forge
app to just the ProjectNamespace
@hardillb hardillb requested a review from ppawlowski May 22, 2026 10:04
@hardillb hardillb self-assigned this May 22, 2026
@hardillb hardillb changed the title Move to Role from ClusterRole Feat: Move to Role from ClusterRole May 22, 2026
@hardillb hardillb changed the title Feat: Move to Role from ClusterRole feat: Move to Role from ClusterRole May 22, 2026
@hardillb
Copy link
Copy Markdown
Contributor Author

hardillb commented May 22, 2026

I need to double check test this, but I'm 95% sure it's all good.

@hardillb hardillb marked this pull request as ready for review May 27, 2026 08:32
ppawlowski
ppawlowski requested changes May 27, 2026
View reviewed changes
Comment thread helm/flowfuse/templates/service-account.yaml Outdated
Comment thread helm/flowfuse/templates/service-account.yaml
@@ -72,6 +72,6 @@ subjects:
name: flowforge
namespace: {{ .Release.Namespace }}
roleRef:
Copy link
Copy Markdown
Contributor

@ppawlowski ppawlowski May 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Upgrading helm release with a custom clusterRole.name defined causes upgrade failure, see https://github.com/FlowFuse/flowfuse/actions/runs/26503988570/job/78052046575#step:15:41

Comment thread helm/flowfuse/templates/service-account.yaml Outdated
Comment thread helm/flowfuse/templates/service-account.yaml
kind: ClusterRole
kind: Role
metadata:
name: {{ ((.Values.forge).clusterRole).name | default "create-pod" }}
Copy link
Copy Markdown
Contributor

@ppawlowski ppawlowski May 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We will still use forge.clusterRole to define the Role name. Changing this will introduce a braking change. I think we should at least mention in the Readme that this will affect Role resource creation, not ClusterRole.

hardillb
hardillb commented May 27, 2026
View reviewed changes
Comment thread helm/flowfuse/templates/service-account.yaml Outdated
@hardillb @ppawlowski
Apply suggestions from code review
67cdbbe 
Co-authored-by: Piotr Pawlowski <ppawlowski@users.noreply.github.com>
Co-authored-by: Ben Hardill <b.hardill@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ppawlowski ppawlowski ppawlowski requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@hardillb hardillb

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support namespace-scoped RBAC for shared cluster deployments

2 participants

@hardillb @ppawlowski