ARC cluster permissions

[kalined]

Good day,

I'm planning to use self-hosted runners. Thus, as the main solution, I'm considering an actions-runner-controller.

I started deploying the actions-runner-controller to the OpenShift, along the way I ran into some problems and raised a couple of questions.

The environment I'm planning to deploy ARC:

OpenShift version 4.9. Cert-manager tech preview will only appear in version 4.10. OpenShift is a multitenant platform, so no one gets cluster-admin rights.

Thus, I faced some issues, like:

from the server for "https://github.com/cert-manager/cert-manager/releases/download/v1.10.1/cert-manager.yaml": namespaces "cert-manager" is forbidden: User "MYUSER" cannot get resource "namespaces" in API group "" in the namespace "cert-manager"

1. Could somebody explain, please, in detail what the cert-manager does in ACR? Maybe there is no point in having a cert-manager?

2. Maybe there is more information about where the certificates will be used and in general what they are used for? (related to question 1)

3. Would be nice to get more information about CRDs and their functionality in ARC. What they are used for and why do they need admin privileges in the cluster?

4. What kind of permissions do I need in the cluster and why do I need them at all? Why do I need to list namespaces?

5. Could I deploy ARC in the OpenShift without admin rights in the cluster? If yes, how could I do that? What scope of permissions should I have? (Would like to notice again that in my case I'm investigating the possibility of deploying ARC to OpenShift which is a multitenant platform, so no one gets cluster-admin rights, and where a lot of different projects/namespaces should be isolated.)

Br,