plexsystems / sandbox-operator Goto Github PK

Hi John,

We spoke about this in chat already, so I won't bother framing this too much. We basically need this result:

• users listed as owners of a Sandbox should be able to edit/delete those specific objects
• users NOT listed as owners should NOT be able to edit/delete those specific objects

Looks like the sandbox-*-deleter cluster role is set up to do a similar sort of thing that we need, only it is limited to the "delete" verb. We're looking for the "patch" verb for the exact same object. The sandbox-*-owner role is namespaced, however, so we can't add it there.

Ideally, the deleter role would be admin allowing multiple verbs like "patch" and "delete". However, renaming child object patterns can get sticky with in-place upgrades, so a workaround could be to just add the "patch" verb to the existing deleter cluster role.

What do you think, John?

Noticed recently that sandbox users cannot create secrets in their Sandbox namespace, which may promote non-ideal configuration of not leveraging secrets in a deployment. Although I'm not sure how to reconcile that permission along with anyone using custom pullsecrets that are copied to a namespace, with the presumption that you may not want those credentials given to the sandbox user directly.