I'm +1 for the `let's make this work` approach.
> And we can use an optional annotation on the SA to change the behavior to "do not touch"
👍 Might be a solution
Prop:
- It does not introduce difficulty for admins to manage SA by themselves;
Cons:
- The current behavior is changed and existing installation might be affected but I'm not sure
if we have such `managed SA` cluster except
che.openshift.io which can be updated by us.
@Ilya Buziuk Could you confirm that we're able to apply a needed annotation to already initialized user's namespaces?
And in addition to Mario's proposal for cluster-admin managed SA and role/rolebinding:
We could apply the special annotation on Che created resources, like: `org.eclipse.che/managed-by: che-server`...
Prop:
- it would be a bit clearer that admin is not supposed to touch it;
Cons:
- it might be tricky to apply that annotation on already existing installations.
We always may try to update SA, role, rolebinding and if we got 403 - then we don't propagate error but assume that
we're on the cluster where SA is managed by cluster-admin but not Che Server.