Why does operator need cluster-wide permissions (using clusterrolebinding instead of rolebinding)?

[wei-tu]

The helm chart of Clickhouse operator requires k8s cluster-wide permissions (ClusterRole / ClusterRoleBinding).

Out of security concern, our cluster only grants limited permission to services. So we would like to know:

• 1, why it needs cluster-wide permission
• 2, if we can move the operator from clusterrolebinding to rolebinding

We tried to hack the manifest of helm template by replacing clusterrole/clusterrolebinding with role/rolebinding and it seems still working.

[alex-zaitsev]

@wei-tu , what helm chart you are referring to? We do not supply a standard helm chart.

[Slach]

@wei-tu by default, clickhouse-operator deployment installed to kube-system namespace. It means clickhouse-operator will watch all ClickHouseInstallation resources in all namespaces and need access to all namespaces to create statefulset / pvc / service resources.
If you install operator into one namespace you don't need ClusterRole and ClusterRolebinding