[GitHub] [pulsar-helm-chart] bsheltonihs commented on a change in pull request #236: To address the function role vs clusterrole issue

[GitBox <gi...@apache.org>]

bsheltonihs commented on a change in pull request #236:
URL: https://github.com/apache/pulsar-helm-chart/pull/236#discussion_r812129671



##########
File path: charts/pulsar/values.yaml
##########
@@ -777,6 +777,8 @@ broker:
 functions:
   component: functions-worker
 
+  limit_to_namespace: false

Review comment:
       I would look to those who are experienced committers to determine if there should be some guidance/documentation on this. I have no issues providing that info and use cases if you want. 
   
   By setting the default ` limit_to_namespace` to be `false` it shouldn't impact the current deployments/use cases for those who have the access/ability to create `clusterrole` and `clusterrolebinding` would still be able to. By setting ` limit_to_namespace` to be `true` it provides the ability to deploy it within a namespace by using `role` and `rolebinding`.
   
   One use case for the latter is if you have to restrict tenants to a single namespace and thus can't allow access to use `clusterrole` or `clusterrolebinding`. Allowing `clusterrole` or `clusterrolebinding` requires an elevated level of permissions that reaches beyond just a given namespace. 
   
   By making this change it allows for the use/deployment of functions within a namespace just like what was done for the broker within the file `broker-cluster-role-binding.yaml`  




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org