From a2bc8cd8d27482d7970121522ea325386b1bebc4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20S=C3=B6derlund?= Date: Sat, 5 Apr 2025 23:22:26 +0200 Subject: [PATCH] Wrote about crossplanes default limited access to third party custom resources, and how to remedy. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: David Söderlund --- content/v2.0-preview/whats-new/_index.md | 27 ++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/content/v2.0-preview/whats-new/_index.md b/content/v2.0-preview/whats-new/_index.md index 6c00efa6..dd8c2a08 100644 --- a/content/v2.0-preview/whats-new/_index.md +++ b/content/v2.0-preview/whats-new/_index.md @@ -207,6 +207,33 @@ compose-pg@{animate: true} This opens composition to exciting new use cases - for example building custom app models with Crossplane. +### Beware Crossplane's default access + +Crossplane by default can only access a limited set of kubernetes resources beyond what gets configured by any providers. + +To grant access to additional resource resource types, create additional `ClusterRoles` and include them in the default Crossplane `ClusterRole` through [aggregation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles). Crossplane's default ClusterRole aggregates using a selector for the label `rbac.crossplane.io/aggregate-to-crossplane: "true"` + +If you don't include this you may experience RBAC issues composing third party custom resources. + +Here is an example of allowing Crossplane handle the lifecycle of CloudNativePG PostgreSQL `Cluster`. + +``` yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cnpg:aggregate-to-crossplane + labels: + app: crossplane + rbac.crossplane.io/aggregate-to-crossplane: "true" +rules: +- apiGroups: + - postgresql.cnpg.io + resources: + - clusters + verbs: + - "*" +``` + ## Backward compatibility Crossplane v2 makes the following breaking changes: