Proposal

RBAC as currently set allows metacontroller pods to access all ressources on the cluster, which is not necessary when metacontroller is used to create specific objects, and could be a security issue.

Thus, it should be possible to specify custom cluster role rules in helm.

Example

We plan to use in Jisti-k8s the metacontroller to create services every time a pod for jitsi jvb is created. Thus, needed rules for clusterRole are the following:

rules:
  - apiGroups:
      - "apps"
    resources:
      - "statefulsets"
    verbs:
      - "get"
      - "watch"
      - "list"
  - apiGroups:
      - ""
    resources:
      - "services"
    verbs:
      - "get"
      - "watch"
      - "list"
      - "create"
      - "delete"
  - apiGroups:
      - ""
    resources:
      - "events"
    verbs:
      - "create"
      - "patch"
  - apiGroups:
      - "metacontroller.k8s.io"
    resources:
      - "*"
    verbs:
      - "get"
      - "watch"
      - "list"

We do not need more rules, so we would like to be able to set this configuration thanks to helm values