How to utilize the Operator with less permissive Cluster Roles - cniackz/public GitHub Wiki

Objective:

To offer an alternative to our current Operator in order to operate with less permissive Cluster Roles.

Reasons:

  • When you find the MinIO Operator's Cluster Roles to be overly permissive or too open...

Possible Solution 1:

  1. Generate the Operator file:
kustomize build github.com/minio/operator/resources/\?ref\=v5.0.9 > operator.yaml

  1. Remove console-sa-role Cluster Role from it.

  2. Remove console-sa-binding Cluster Role Binding from it.

  3. Install Operator:

k apply -f operator.yaml # Without console-sa cluster role and its binding role.
  1. Install Tenant:
kustomize build github.com/minio/operator/examples/kustomization/tenant-lite\?ref\=v5.0.9 > tenant.yaml

k apply -f tenant.yaml
  1. Test and access Tenant:
root@ubuntu:/# mc alias set myminio https://minio.tenant-lite.svc.cluster.local:443 minio minio123
Added `myminio` successfully.

root@ubuntu:/# mc mb myminio/cesar 
Bucket created successfully `myminio/cesar`.

root@ubuntu:/# mc admin info myminio
●  myminio-pool-0-0.myminio-hl.tenant-lite.svc.cluster.local:9000
   Uptime: 3 minutes 
   Version: 2023-09-04T19:57:37Z
   Network: 4/4 OK 
   Drives: 2/2 OK 
   Pool: 1

●  myminio-pool-0-1.myminio-hl.tenant-lite.svc.cluster.local:9000
   Uptime: 3 minutes 
   Version: 2023-09-04T19:57:37Z
   Network: 4/4 OK 
   Drives: 2/2 OK 
   Pool: 1

●  myminio-pool-0-2.myminio-hl.tenant-lite.svc.cluster.local:9000
   Uptime: 3 minutes 
   Version: 2023-09-04T19:57:37Z
   Network: 4/4 OK 
   Drives: 2/2 OK 
   Pool: 1

●  myminio-pool-0-3.myminio-hl.tenant-lite.svc.cluster.local:9000
   Uptime: 3 minutes 
   Version: 2023-09-04T19:57:37Z
   Network: 4/4 OK 
   Drives: 2/2 OK 
   Pool: 1

Pools:
   1st, Erasure sets: 1, Drives per erasure set: 8

8 drives online, 0 drives offline

Notice that the JWT Token will be limited to Operator's Cluster Role and in the UI you will no longer be able to create a namespace or delete a volume.

Possible Solution 2:

  • You can consider using a Role instead of a Cluster Role to deploy the Operator and Tenant within the same namespace. While it's not recommended, it's a possibility if you need to restrict everything to a single namespace. This approach might be worth trying, especially if you want to use MinIO, as MinIO support is primarily designed for use with the Operator. If you opt not to use the Operator, you'll face the challenge of managing MinIO on your own, unfortunately.

Conclusion:

Before abandoning the use of the Operator, please consider modifying RBAC accordingly to meet your expectations. However, if MinIO needs to run in Kubernetes, it's advisable to use the Operator.