Looking for information on how to create a clusterrole that has cluster-admin priv's, except for the ability to delete namespaces / projects. I'd love it to be auto-updating, the problem I have now is I created a clusterrole with all priv's except the ability to delete projects / namespaces. But it's not auto-updating. So anytime we add new operators or anything, the role has to be manually updated which isn't ideal. Anyone have any suggestions?
Could you provide more details about what kind if auto-update you need and how new operators impact your custom role?
Sometimes you need a kind of flexibilty that is not provided by Kubernetes. OpenShift comes out-of-the-box with support for Kubernetes Operators that allow you to extend Kubernetes capabilities for these scenarios.
Red Hat consultants created a number of operator that helps with implementing custom policies as part of Red Hat's Community of Practice. These are not formally supported but were created to meet customization demanded by actual customers. An example is: