Description
Is your feature request related to a problem? Please describe.
I need to deploy the MinIO Operator in namespace mode within a single namespace, without requiring a cluster role.
Describe the solution you'd like
Add a new Helm chart parameter called scope with possible values: cluster or namespace.
- When
scopeis set tocluster, a ClusterRole will be created, allowing the operator to monitor the entire cluster. (WATCHED_NAMESPACE can be used to restrict the namespaces like before) - When
scopeis set tonamespace, a Role will be created, restricting the operator to watch only the current namespace (environment variable WATCHED_NAMESPACE will not be required)
After updating the Helm chart, some modifications are needed in the MinIO Operator to enable it to run within a single namespace. Currently, setting the WATCHED_NAMESPACE to the operator's namespace prevents tenant provisioning, as the operator attempts to list cluster-scoped resources.
Additional context
I created a custom role and modified the Helm chart locally to test whether the operator can create tenants with that role, but it doesn’t seem to work.
Config
operator:
env:
- name: WATCHED_NAMESPACE
value: "minio-env"
Logs
I0403 10:11:49.104955 1 controller.go:81] Starting MinIO Operator
I0403 10:11:49.106653 1 controller.go:146] Watching only namespaces: minio-env
I0403 10:11:49.107238 1 main-controller.go:293] Setting up event handlers
W0403 10:11:49.124957 1 reflector.go:569] k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251: failed to list *v2.Tenant: tenants.minio.min.io is forbidden: User "system:serviceaccount:minio-env:minio-operator" cannot list resource "tenants" in API group "minio.min.io" at the cluster scope
W0403 10:11:49.125030 1 reflector.go:569] k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251: failed to list *v1.StatefulSet: statefulsets.apps is forbidden: User "system:serviceaccount:minio-env:minio-operator" cannot list resource "statefulsets" in API group "apps" at the cluster scope
E0403 10:11:49.125081 1 reflector.go:166] "Unhandled Error" err="k8s.io/client-go@v0.32.2/tools/cache/reflector.go:251: Failed to watch *v2.Tenant: failed to list *v2.Tenant: tenants.minio.min.io is forbidden: User \"system:serviceaccount:minio-env:minio-operator\" cannot list resource \"tenants\" in API group \"minio.min.io\" at the cluster scope" logger="UnhandledError"