The elastic-operator ClusterRole, which is deployed and granted when installing with the "all-in-one.yaml" method gives a lot of permissions on the cluster. So much even, you may as well be running the operator as cluster-admin.
Is there a supported deployment method which allows the operator to run so that it can only watch / manage objects in specific namespaces?
Can we also go without permissions to manage admission configurations? (ie: disable the webhook?) I do not feel comfortable sending all my secrets to the operator for inspection, and it makes the uninstalls more complex...
Can we also go without permissions to manage admission configurations? (ie: disable the webhook?)
Yes that is also possible, you will have to to change the --roles argument of the operator from all to global,namespace. You can then reduce the RBAC permissions you give to the elastic-operator service account.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.