From 22ac247df950aaf4317e6f41969f5f98f538aeda Mon Sep 17 00:00:00 2001 From: Yuedong Wu <57584831+lunarwhite@users.noreply.github.com> Date: Fri, 5 Apr 2024 17:30:27 +0000 Subject: [PATCH] Add scaffolded CRD viewer and editor roles in config/rbac/kustomization.yaml --- .../project/config/rbac/kustomization.yaml | 6 + .../project/config/rbac/kustomization.yaml | 6 + docs/book/src/getting-started.md | 1 - .../project/config/rbac/kustomization.yaml | 6 + pkg/plugin/util/util.go | 17 + .../common/kustomize/v2/scaffolds/api.go | 25 + test/e2e/v4/plugin_cluster_test.go | 15 - .../config/rbac/kustomization.yaml | 24 + .../dist/install.yaml | 696 ++++++++++++++++-- .../config/rbac/kustomization.yaml | 24 + .../project-v4-multigroup/dist/install.yaml | 696 ++++++++++++++++-- .../config/rbac/kustomization.yaml | 8 + .../dist/install.yaml | 116 +++ .../project-v4/config/rbac/kustomization.yaml | 10 + testdata/project-v4/dist/install.yaml | 174 +++++ 15 files changed, 1692 insertions(+), 132 deletions(-) diff --git a/docs/book/src/component-config-tutorial/testdata/project/config/rbac/kustomization.yaml b/docs/book/src/component-config-tutorial/testdata/project/config/rbac/kustomization.yaml index 731832a6ac3..a15cdf55131 100644 --- a/docs/book/src/component-config-tutorial/testdata/project/config/rbac/kustomization.yaml +++ b/docs/book/src/component-config-tutorial/testdata/project/config/rbac/kustomization.yaml @@ -16,3 +16,9 @@ resources: - auth_proxy_role.yaml - auth_proxy_role_binding.yaml - auth_proxy_client_clusterrole.yaml +# For each CRD, "Editor" and "Viewer" roles are scaffolded by +# default, aiding admins in cluster management. While optional +# for managers, who can modify or remove them, their removal +# means they won't be installed with your solution. +- projectconfig_editor_role.yaml +- projectconfig_viewer_role.yaml diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/kustomization.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/kustomization.yaml index 731832a6ac3..c763b769ecf 100644 --- a/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/kustomization.yaml +++ b/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/kustomization.yaml @@ -16,3 +16,9 @@ resources: - auth_proxy_role.yaml - auth_proxy_role_binding.yaml - auth_proxy_client_clusterrole.yaml +# For each CRD, "Editor" and "Viewer" roles are scaffolded by +# default, aiding admins in cluster management. While optional +# for managers, who can modify or remove them, their removal +# means they won't be installed with your solution. +- cronjob_editor_role.yaml +- cronjob_viewer_role.yaml diff --git a/docs/book/src/getting-started.md b/docs/book/src/getting-started.md index a55fea6de6f..c894af48c80 100644 --- a/docs/book/src/getting-started.md +++ b/docs/book/src/getting-started.md @@ -464,7 +464,6 @@ After making the necessary changes, run the `make generate` command. This will p

RBAC generate under config/rbac

For each Kind, Kubebuilder will generate scaffold rules with view and edit permissions. (i.e. `memcached_editor_role.yaml` and `memcached_viewer_role.yaml`) -Those rules are not applied on the cluster when you deploy your solution with `make deploy IMG=myregistery/example:1.0.0`. Those rules are aimed to help system admins know what to allow when granting permissions to a group of users. diff --git a/docs/book/src/getting-started/testdata/project/config/rbac/kustomization.yaml b/docs/book/src/getting-started/testdata/project/config/rbac/kustomization.yaml index 731832a6ac3..0e7aee13091 100644 --- a/docs/book/src/getting-started/testdata/project/config/rbac/kustomization.yaml +++ b/docs/book/src/getting-started/testdata/project/config/rbac/kustomization.yaml @@ -16,3 +16,9 @@ resources: - auth_proxy_role.yaml - auth_proxy_role_binding.yaml - auth_proxy_client_clusterrole.yaml +# For each CRD, "Editor" and "Viewer" roles are scaffolded by +# default, aiding admins in cluster management. While optional +# for managers, who can modify or remove them, their removal +# means they won't be installed with your solution. +- memcached_editor_role.yaml +- memcached_viewer_role.yaml diff --git a/pkg/plugin/util/util.go b/pkg/plugin/util/util.go index d4b34d5d616..ebf5418adda 100644 --- a/pkg/plugin/util/util.go +++ b/pkg/plugin/util/util.go @@ -80,6 +80,23 @@ func InsertCode(filename, target, code string) error { return os.WriteFile(filename, []byte(out), 0644) } +// InsertCodeIfNotExist insert code if it does not already exists +func InsertCodeIfNotExist(filename, target, code string) error { + // false positive + // nolint:gosec + contents, err := os.ReadFile(filename) + if err != nil { + return err + } + + idx := strings.Index(string(contents), code) + if idx != -1 { + return nil + } + + return InsertCode(filename, target, code) +} + // UncommentCode searches for target in the file and remove the comment prefix // of the target content. The target content may span multiple lines. func UncommentCode(filename, target, prefix string) error { diff --git a/pkg/plugins/common/kustomize/v2/scaffolds/api.go b/pkg/plugins/common/kustomize/v2/scaffolds/api.go index 21afda71155..c942e7dc209 100644 --- a/pkg/plugins/common/kustomize/v2/scaffolds/api.go +++ b/pkg/plugins/common/kustomize/v2/scaffolds/api.go @@ -18,6 +18,7 @@ package scaffolds import ( "fmt" + "strings" pluginutil "sigs.k8s.io/kubebuilder/v3/pkg/plugin/util" "sigs.k8s.io/kubebuilder/v3/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/crd" @@ -98,6 +99,30 @@ func (s *apiScaffolder) Scaffold() error { "%s.", kustomizeFilePath) } } + + // Add scaffolded CRD Editor and Viewer roles in config/rbac/kustomization.yaml + rbacKustomizeFilePath := "config/rbac/kustomization.yaml" + comment := ` +# For each CRD, "Editor" and "Viewer" roles are scaffolded by +# default, aiding admins in cluster management. While optional +# for managers, who can modify or remove them, their removal +# means they won't be installed with your solution.` + err = pluginutil.InsertCodeIfNotExist(rbacKustomizeFilePath, + "- auth_proxy_client_clusterrole.yaml", comment) + if err != nil { + log.Errorf("Unable to add a comment in the file "+ + "%s.", rbacKustomizeFilePath) + } + crdName := strings.ToLower(s.resource.Kind) + if s.config.IsMultiGroup() && s.resource.Group != "" { + crdName = strings.ToLower(s.resource.Group) + "_" + crdName + } + err = pluginutil.InsertCodeIfNotExist(rbacKustomizeFilePath, comment, + fmt.Sprintf("\n- %[1]s_editor_role.yaml\n- %[1]s_viewer_role.yaml", crdName)) + if err != nil { + log.Errorf("Unable to add Editor and Viewer roles in the file "+ + "%s.", rbacKustomizeFilePath) + } } return nil diff --git a/test/e2e/v4/plugin_cluster_test.go b/test/e2e/v4/plugin_cluster_test.go index a757e793dbc..02588eec066 100644 --- a/test/e2e/v4/plugin_cluster_test.go +++ b/test/e2e/v4/plugin_cluster_test.go @@ -271,21 +271,6 @@ func Run(kbc *utils.TestContext, hasWebhook, isToUseInstaller bool) { return err }, time.Minute, time.Second).Should(Succeed()) - By("applying the CRD Editor Role") - crdEditorRole := filepath.Join("config", "rbac", - fmt.Sprintf("%s_editor_role.yaml", strings.ToLower(kbc.Kind))) - EventuallyWithOffset(1, func() error { - _, err = kbc.Kubectl.Apply(true, "-f", crdEditorRole) - return err - }, time.Minute, time.Second).Should(Succeed()) - - By("applying the CRD Viewer Role") - crdViewerRole := filepath.Join("config", "rbac", fmt.Sprintf("%s_viewer_role.yaml", strings.ToLower(kbc.Kind))) - EventuallyWithOffset(1, func() error { - _, err = kbc.Kubectl.Apply(true, "-f", crdViewerRole) - return err - }, time.Minute, time.Second).Should(Succeed()) - By("validating that the created resource object gets reconciled in the controller") metricsOutput := curlMetrics(kbc) ExpectWithOffset(1, metricsOutput).To(ContainSubstring(fmt.Sprintf( diff --git a/testdata/project-v4-multigroup-with-deploy-image/config/rbac/kustomization.yaml b/testdata/project-v4-multigroup-with-deploy-image/config/rbac/kustomization.yaml index 731832a6ac3..851500858ff 100644 --- a/testdata/project-v4-multigroup-with-deploy-image/config/rbac/kustomization.yaml +++ b/testdata/project-v4-multigroup-with-deploy-image/config/rbac/kustomization.yaml @@ -16,3 +16,27 @@ resources: - auth_proxy_role.yaml - auth_proxy_role_binding.yaml - auth_proxy_client_clusterrole.yaml +# For each CRD, "Editor" and "Viewer" roles are scaffolded by +# default, aiding admins in cluster management. While optional +# for managers, who can modify or remove them, their removal +# means they won't be installed with your solution. +- lakers_editor_role.yaml +- lakers_viewer_role.yaml +- fiz_bar_editor_role.yaml +- fiz_bar_viewer_role.yaml +- foo_bar_editor_role.yaml +- foo_bar_viewer_role.yaml +- foo.policy_healthcheckpolicy_editor_role.yaml +- foo.policy_healthcheckpolicy_viewer_role.yaml +- sea-creatures_leviathan_editor_role.yaml +- sea-creatures_leviathan_viewer_role.yaml +- sea-creatures_kraken_editor_role.yaml +- sea-creatures_kraken_viewer_role.yaml +- ship_cruiser_editor_role.yaml +- ship_cruiser_viewer_role.yaml +- ship_destroyer_editor_role.yaml +- ship_destroyer_viewer_role.yaml +- ship_frigate_editor_role.yaml +- ship_frigate_viewer_role.yaml +- crew_captain_editor_role.yaml +- crew_captain_viewer_role.yaml diff --git a/testdata/project-v4-multigroup-with-deploy-image/dist/install.yaml b/testdata/project-v4-multigroup-with-deploy-image/dist/install.yaml index 39f3ac5d091..de7ab9a9859 100644 --- a/testdata/project-v4-multigroup-with-deploy-image/dist/install.yaml +++ b/testdata/project-v4-multigroup-with-deploy-image/dist/install.yaml @@ -658,12 +658,19 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: project-v4-multigroup-with-deploy-image-manager-role + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: project-v4-multigroup-with-deploy-image + app.kubernetes.io/instance: captain-editor-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: project-v4-multigroup-with-deploy-image + name: project-v4-multigroup-with-deploy-image-crew-captain-editor-role rules: - apiGroups: - - apps + - crew.testproject.org resources: - - deployments + - captains verbs: - create - delete @@ -673,23 +680,55 @@ rules: - update - watch - apiGroups: - - apps + - crew.testproject.org resources: - - deployments/finalizers + - captains/status verbs: - - update + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: project-v4-multigroup-with-deploy-image + app.kubernetes.io/instance: captain-viewer-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: project-v4-multigroup-with-deploy-image + name: project-v4-multigroup-with-deploy-image-crew-captain-viewer-role +rules: - apiGroups: - - apps + - crew.testproject.org resources: - - deployments/status + - captains verbs: - get - - patch - - update + - list + - watch - apiGroups: - crew.testproject.org resources: - - captains + - captains/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: project-v4-multigroup-with-deploy-image + app.kubernetes.io/instance: bar-editor-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: project-v4-multigroup-with-deploy-image + name: project-v4-multigroup-with-deploy-image-fiz-bar-editor-role +rules: +- apiGroups: + - fiz.testproject.org + resources: + - bars verbs: - create - delete @@ -699,22 +738,54 @@ rules: - update - watch - apiGroups: - - crew.testproject.org + - fiz.testproject.org resources: - - captains/finalizers + - bars/status verbs: - - update + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: project-v4-multigroup-with-deploy-image + app.kubernetes.io/instance: bar-viewer-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: project-v4-multigroup-with-deploy-image + name: project-v4-multigroup-with-deploy-image-fiz-bar-viewer-role +rules: - apiGroups: - - crew.testproject.org + - fiz.testproject.org resources: - - captains/status + - bars verbs: - get - - patch - - update + - list + - watch - apiGroups: - fiz.testproject.org resources: + - bars/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: project-v4-multigroup-with-deploy-image + app.kubernetes.io/instance: bar-editor-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: project-v4-multigroup-with-deploy-image + name: project-v4-multigroup-with-deploy-image-foo-bar-editor-role +rules: +- apiGroups: + - foo.testproject.org + resources: - bars verbs: - create @@ -725,19 +796,51 @@ rules: - update - watch - apiGroups: - - fiz.testproject.org + - foo.testproject.org resources: - - bars/finalizers + - bars/status verbs: - - update + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: project-v4-multigroup-with-deploy-image + app.kubernetes.io/instance: bar-viewer-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: project-v4-multigroup-with-deploy-image + name: project-v4-multigroup-with-deploy-image-foo-bar-viewer-role +rules: - apiGroups: - - fiz.testproject.org + - foo.testproject.org + resources: + - bars + verbs: + - get + - list + - watch +- apiGroups: + - foo.testproject.org resources: - bars/status verbs: - get - - patch - - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: project-v4-multigroup-with-deploy-image + app.kubernetes.io/instance: healthcheckpolicy-editor-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: project-v4-multigroup-with-deploy-image + name: project-v4-multigroup-with-deploy-image-foo.policy-healthcheckpolicy-editor-role +rules: - apiGroups: - foo.policy.testproject.org resources: @@ -753,21 +856,53 @@ rules: - apiGroups: - foo.policy.testproject.org resources: - - healthcheckpolicies/finalizers + - healthcheckpolicies/status verbs: - - update + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: project-v4-multigroup-with-deploy-image + app.kubernetes.io/instance: healthcheckpolicy-viewer-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: project-v4-multigroup-with-deploy-image + name: project-v4-multigroup-with-deploy-image-foo.policy-healthcheckpolicy-viewer-role +rules: +- apiGroups: + - foo.policy.testproject.org + resources: + - healthcheckpolicies + verbs: + - get + - list + - watch - apiGroups: - foo.policy.testproject.org resources: - healthcheckpolicies/status verbs: - get - - patch - - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: project-v4-multigroup-with-deploy-image + app.kubernetes.io/instance: lakers-editor-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: project-v4-multigroup-with-deploy-image + name: project-v4-multigroup-with-deploy-image-lakers-editor-role +rules: - apiGroups: - - foo.testproject.org + - testproject.org resources: - - bars + - lakers verbs: - create - delete @@ -777,23 +912,48 @@ rules: - update - watch - apiGroups: - - foo.testproject.org + - testproject.org resources: - - bars/finalizers + - lakers/status verbs: - - update + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: project-v4-multigroup-with-deploy-image + app.kubernetes.io/instance: lakers-viewer-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: project-v4-multigroup-with-deploy-image + name: project-v4-multigroup-with-deploy-image-lakers-viewer-role +rules: - apiGroups: - - foo.testproject.org + - testproject.org resources: - - bars/status + - lakers verbs: - get - - patch - - update + - list + - watch - apiGroups: - - sea-creatures.testproject.org + - testproject.org resources: - - krakens + - lakers/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: project-v4-multigroup-with-deploy-image-manager-role +rules: +- apiGroups: + - apps + resources: + - deployments verbs: - create - delete @@ -803,23 +963,23 @@ rules: - update - watch - apiGroups: - - sea-creatures.testproject.org + - apps resources: - - krakens/finalizers + - deployments/finalizers verbs: - update - apiGroups: - - sea-creatures.testproject.org + - apps resources: - - krakens/status + - deployments/status verbs: - get - patch - update - apiGroups: - - sea-creatures.testproject.org + - crew.testproject.org resources: - - leviathans + - captains verbs: - create - delete @@ -829,23 +989,23 @@ rules: - update - watch - apiGroups: - - sea-creatures.testproject.org + - crew.testproject.org resources: - - leviathans/finalizers + - captains/finalizers verbs: - update - apiGroups: - - sea-creatures.testproject.org + - crew.testproject.org resources: - - leviathans/status + - captains/status verbs: - get - patch - update - apiGroups: - - ship.testproject.org + - fiz.testproject.org resources: - - cruisers + - bars verbs: - create - delete @@ -855,23 +1015,23 @@ rules: - update - watch - apiGroups: - - ship.testproject.org + - fiz.testproject.org resources: - - cruisers/finalizers + - bars/finalizers verbs: - update - apiGroups: - - ship.testproject.org + - fiz.testproject.org resources: - - cruisers/status + - bars/status verbs: - get - patch - update - apiGroups: - - ship.testproject.org + - foo.policy.testproject.org resources: - - destroyers + - healthcheckpolicies verbs: - create - delete @@ -881,7 +1041,137 @@ rules: - update - watch - apiGroups: - - ship.testproject.org + - foo.policy.testproject.org + resources: + - healthcheckpolicies/finalizers + verbs: + - update +- apiGroups: + - foo.policy.testproject.org + resources: + - healthcheckpolicies/status + verbs: + - get + - patch + - update +- apiGroups: + - foo.testproject.org + resources: + - bars + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - foo.testproject.org + resources: + - bars/finalizers + verbs: + - update +- apiGroups: + - foo.testproject.org + resources: + - bars/status + verbs: + - get + - patch + - update +- apiGroups: + - sea-creatures.testproject.org + resources: + - krakens + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - sea-creatures.testproject.org + resources: + - krakens/finalizers + verbs: + - update +- apiGroups: + - sea-creatures.testproject.org + resources: + - krakens/status + verbs: + - get + - patch + - update +- apiGroups: + - sea-creatures.testproject.org + resources: + - leviathans + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - sea-creatures.testproject.org + resources: + - leviathans/finalizers + verbs: + - update +- apiGroups: + - sea-creatures.testproject.org + resources: + - leviathans/status + verbs: + - get + - patch + - update +- apiGroups: + - ship.testproject.org + resources: + - cruisers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - ship.testproject.org + resources: + - cruisers/finalizers + verbs: + - update +- apiGroups: + - ship.testproject.org + resources: + - cruisers/status + verbs: + - get + - patch + - update +- apiGroups: + - ship.testproject.org + resources: + - destroyers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - ship.testproject.org resources: - destroyers/finalizers verbs: @@ -990,6 +1280,296 @@ rules: - create --- apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: project-v4-multigroup-with-deploy-image + app.kubernetes.io/instance: kraken-editor-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: project-v4-multigroup-with-deploy-image + name: project-v4-multigroup-with-deploy-image-sea-creatures-kraken-editor-role +rules: +- apiGroups: + - sea-creatures.testproject.org + resources: + - krakens + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - sea-creatures.testproject.org + resources: + - krakens/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: project-v4-multigroup-with-deploy-image + app.kubernetes.io/instance: kraken-viewer-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: project-v4-multigroup-with-deploy-image + name: project-v4-multigroup-with-deploy-image-sea-creatures-kraken-viewer-role +rules: +- apiGroups: + - sea-creatures.testproject.org + resources: + - krakens + verbs: + - get + - list + - watch +- apiGroups: + - sea-creatures.testproject.org + resources: + - krakens/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: project-v4-multigroup-with-deploy-image + app.kubernetes.io/instance: leviathan-editor-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: project-v4-multigroup-with-deploy-image + name: project-v4-multigroup-with-deploy-image-sea-creatures-leviathan-editor-role +rules: +- apiGroups: + - sea-creatures.testproject.org + resources: + - leviathans + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - sea-creatures.testproject.org + resources: + - leviathans/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: project-v4-multigroup-with-deploy-image + app.kubernetes.io/instance: leviathan-viewer-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: project-v4-multigroup-with-deploy-image + name: project-v4-multigroup-with-deploy-image-sea-creatures-leviathan-viewer-role +rules: +- apiGroups: + - sea-creatures.testproject.org + resources: + - leviathans + verbs: + - get + - list + - watch +- apiGroups: + - sea-creatures.testproject.org + resources: + - leviathans/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: project-v4-multigroup-with-deploy-image + app.kubernetes.io/instance: cruiser-editor-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: project-v4-multigroup-with-deploy-image + name: project-v4-multigroup-with-deploy-image-ship-cruiser-editor-role +rules: +- apiGroups: + - ship.testproject.org + resources: + - cruisers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - ship.testproject.org + resources: + - cruisers/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: project-v4-multigroup-with-deploy-image + app.kubernetes.io/instance: cruiser-viewer-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: project-v4-multigroup-with-deploy-image + name: project-v4-multigroup-with-deploy-image-ship-cruiser-viewer-role +rules: +- apiGroups: + - ship.testproject.org + resources: + - cruisers + verbs: + - get + - list + - watch +- apiGroups: + - ship.testproject.org + resources: + - cruisers/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: project-v4-multigroup-with-deploy-image + app.kubernetes.io/instance: destroyer-editor-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: project-v4-multigroup-with-deploy-image + name: project-v4-multigroup-with-deploy-image-ship-destroyer-editor-role +rules: +- apiGroups: + - ship.testproject.org + resources: + - destroyers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - ship.testproject.org + resources: + - destroyers/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: project-v4-multigroup-with-deploy-image + app.kubernetes.io/instance: destroyer-viewer-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: project-v4-multigroup-with-deploy-image + name: project-v4-multigroup-with-deploy-image-ship-destroyer-viewer-role +rules: +- apiGroups: + - ship.testproject.org + resources: + - destroyers + verbs: + - get + - list + - watch +- apiGroups: + - ship.testproject.org + resources: + - destroyers/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: project-v4-multigroup-with-deploy-image + app.kubernetes.io/instance: frigate-editor-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: project-v4-multigroup-with-deploy-image + name: project-v4-multigroup-with-deploy-image-ship-frigate-editor-role +rules: +- apiGroups: + - ship.testproject.org + resources: + - frigates + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - ship.testproject.org + resources: + - frigates/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: project-v4-multigroup-with-deploy-image + app.kubernetes.io/instance: frigate-viewer-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: project-v4-multigroup-with-deploy-image + name: project-v4-multigroup-with-deploy-image-ship-frigate-viewer-role +rules: +- apiGroups: + - ship.testproject.org + resources: + - frigates + verbs: + - get + - list + - watch +- apiGroups: + - ship.testproject.org + resources: + - frigates/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: diff --git a/testdata/project-v4-multigroup/config/rbac/kustomization.yaml b/testdata/project-v4-multigroup/config/rbac/kustomization.yaml index 731832a6ac3..851500858ff 100644 --- a/testdata/project-v4-multigroup/config/rbac/kustomization.yaml +++ b/testdata/project-v4-multigroup/config/rbac/kustomization.yaml @@ -16,3 +16,27 @@ resources: - auth_proxy_role.yaml - auth_proxy_role_binding.yaml - auth_proxy_client_clusterrole.yaml +# For each CRD, "Editor" and "Viewer" roles are scaffolded by +# default, aiding admins in cluster management. While optional +# for managers, who can modify or remove them, their removal +# means they won't be installed with your solution. +- lakers_editor_role.yaml +- lakers_viewer_role.yaml +- fiz_bar_editor_role.yaml +- fiz_bar_viewer_role.yaml +- foo_bar_editor_role.yaml +- foo_bar_viewer_role.yaml +- foo.policy_healthcheckpolicy_editor_role.yaml +- foo.policy_healthcheckpolicy_viewer_role.yaml +- sea-creatures_leviathan_editor_role.yaml +- sea-creatures_leviathan_viewer_role.yaml +- sea-creatures_kraken_editor_role.yaml +- sea-creatures_kraken_viewer_role.yaml +- ship_cruiser_editor_role.yaml +- ship_cruiser_viewer_role.yaml +- ship_destroyer_editor_role.yaml +- ship_destroyer_viewer_role.yaml +- ship_frigate_editor_role.yaml +- ship_frigate_viewer_role.yaml +- crew_captain_editor_role.yaml +- crew_captain_viewer_role.yaml diff --git a/testdata/project-v4-multigroup/dist/install.yaml b/testdata/project-v4-multigroup/dist/install.yaml index e86d4af520c..28c4aca2293 100644 --- a/testdata/project-v4-multigroup/dist/install.yaml +++ b/testdata/project-v4-multigroup/dist/install.yaml @@ -658,12 +658,19 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: project-v4-multigroup-manager-role + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: project-v4-multigroup + app.kubernetes.io/instance: captain-editor-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: project-v4-multigroup + name: project-v4-multigroup-crew-captain-editor-role rules: - apiGroups: - - apps + - crew.testproject.org resources: - - deployments + - captains verbs: - create - delete @@ -673,23 +680,55 @@ rules: - update - watch - apiGroups: - - apps + - crew.testproject.org resources: - - deployments/finalizers + - captains/status verbs: - - update + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: project-v4-multigroup + app.kubernetes.io/instance: captain-viewer-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: project-v4-multigroup + name: project-v4-multigroup-crew-captain-viewer-role +rules: - apiGroups: - - apps + - crew.testproject.org resources: - - deployments/status + - captains verbs: - get - - patch - - update + - list + - watch - apiGroups: - crew.testproject.org resources: - - captains + - captains/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: project-v4-multigroup + app.kubernetes.io/instance: bar-editor-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: project-v4-multigroup + name: project-v4-multigroup-fiz-bar-editor-role +rules: +- apiGroups: + - fiz.testproject.org + resources: + - bars verbs: - create - delete @@ -699,22 +738,54 @@ rules: - update - watch - apiGroups: - - crew.testproject.org + - fiz.testproject.org resources: - - captains/finalizers + - bars/status verbs: - - update + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: project-v4-multigroup + app.kubernetes.io/instance: bar-viewer-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: project-v4-multigroup + name: project-v4-multigroup-fiz-bar-viewer-role +rules: - apiGroups: - - crew.testproject.org + - fiz.testproject.org resources: - - captains/status + - bars verbs: - get - - patch - - update + - list + - watch - apiGroups: - fiz.testproject.org resources: + - bars/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: project-v4-multigroup + app.kubernetes.io/instance: bar-editor-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: project-v4-multigroup + name: project-v4-multigroup-foo-bar-editor-role +rules: +- apiGroups: + - foo.testproject.org + resources: - bars verbs: - create @@ -725,19 +796,51 @@ rules: - update - watch - apiGroups: - - fiz.testproject.org + - foo.testproject.org resources: - - bars/finalizers + - bars/status verbs: - - update + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: project-v4-multigroup + app.kubernetes.io/instance: bar-viewer-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: project-v4-multigroup + name: project-v4-multigroup-foo-bar-viewer-role +rules: - apiGroups: - - fiz.testproject.org + - foo.testproject.org + resources: + - bars + verbs: + - get + - list + - watch +- apiGroups: + - foo.testproject.org resources: - bars/status verbs: - get - - patch - - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: project-v4-multigroup + app.kubernetes.io/instance: healthcheckpolicy-editor-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: project-v4-multigroup + name: project-v4-multigroup-foo.policy-healthcheckpolicy-editor-role +rules: - apiGroups: - foo.policy.testproject.org resources: @@ -753,21 +856,53 @@ rules: - apiGroups: - foo.policy.testproject.org resources: - - healthcheckpolicies/finalizers + - healthcheckpolicies/status verbs: - - update + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: project-v4-multigroup + app.kubernetes.io/instance: healthcheckpolicy-viewer-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: project-v4-multigroup + name: project-v4-multigroup-foo.policy-healthcheckpolicy-viewer-role +rules: +- apiGroups: + - foo.policy.testproject.org + resources: + - healthcheckpolicies + verbs: + - get + - list + - watch - apiGroups: - foo.policy.testproject.org resources: - healthcheckpolicies/status verbs: - get - - patch - - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: project-v4-multigroup + app.kubernetes.io/instance: lakers-editor-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: project-v4-multigroup + name: project-v4-multigroup-lakers-editor-role +rules: - apiGroups: - - foo.testproject.org + - testproject.org resources: - - bars + - lakers verbs: - create - delete @@ -777,23 +912,48 @@ rules: - update - watch - apiGroups: - - foo.testproject.org + - testproject.org resources: - - bars/finalizers + - lakers/status verbs: - - update + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: project-v4-multigroup + app.kubernetes.io/instance: lakers-viewer-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: project-v4-multigroup + name: project-v4-multigroup-lakers-viewer-role +rules: - apiGroups: - - foo.testproject.org + - testproject.org resources: - - bars/status + - lakers verbs: - get - - patch - - update + - list + - watch - apiGroups: - - sea-creatures.testproject.org + - testproject.org resources: - - krakens + - lakers/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: project-v4-multigroup-manager-role +rules: +- apiGroups: + - apps + resources: + - deployments verbs: - create - delete @@ -803,23 +963,23 @@ rules: - update - watch - apiGroups: - - sea-creatures.testproject.org + - apps resources: - - krakens/finalizers + - deployments/finalizers verbs: - update - apiGroups: - - sea-creatures.testproject.org + - apps resources: - - krakens/status + - deployments/status verbs: - get - patch - update - apiGroups: - - sea-creatures.testproject.org + - crew.testproject.org resources: - - leviathans + - captains verbs: - create - delete @@ -829,23 +989,23 @@ rules: - update - watch - apiGroups: - - sea-creatures.testproject.org + - crew.testproject.org resources: - - leviathans/finalizers + - captains/finalizers verbs: - update - apiGroups: - - sea-creatures.testproject.org + - crew.testproject.org resources: - - leviathans/status + - captains/status verbs: - get - patch - update - apiGroups: - - ship.testproject.org + - fiz.testproject.org resources: - - cruisers + - bars verbs: - create - delete @@ -855,23 +1015,23 @@ rules: - update - watch - apiGroups: - - ship.testproject.org + - fiz.testproject.org resources: - - cruisers/finalizers + - bars/finalizers verbs: - update - apiGroups: - - ship.testproject.org + - fiz.testproject.org resources: - - cruisers/status + - bars/status verbs: - get - patch - update - apiGroups: - - ship.testproject.org + - foo.policy.testproject.org resources: - - destroyers + - healthcheckpolicies verbs: - create - delete @@ -881,7 +1041,137 @@ rules: - update - watch - apiGroups: - - ship.testproject.org + - foo.policy.testproject.org + resources: + - healthcheckpolicies/finalizers + verbs: + - update +- apiGroups: + - foo.policy.testproject.org + resources: + - healthcheckpolicies/status + verbs: + - get + - patch + - update +- apiGroups: + - foo.testproject.org + resources: + - bars + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - foo.testproject.org + resources: + - bars/finalizers + verbs: + - update +- apiGroups: + - foo.testproject.org + resources: + - bars/status + verbs: + - get + - patch + - update +- apiGroups: + - sea-creatures.testproject.org + resources: + - krakens + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - sea-creatures.testproject.org + resources: + - krakens/finalizers + verbs: + - update +- apiGroups: + - sea-creatures.testproject.org + resources: + - krakens/status + verbs: + - get + - patch + - update +- apiGroups: + - sea-creatures.testproject.org + resources: + - leviathans + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - sea-creatures.testproject.org + resources: + - leviathans/finalizers + verbs: + - update +- apiGroups: + - sea-creatures.testproject.org + resources: + - leviathans/status + verbs: + - get + - patch + - update +- apiGroups: + - ship.testproject.org + resources: + - cruisers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - ship.testproject.org + resources: + - cruisers/finalizers + verbs: + - update +- apiGroups: + - ship.testproject.org + resources: + - cruisers/status + verbs: + - get + - patch + - update +- apiGroups: + - ship.testproject.org + resources: + - destroyers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - ship.testproject.org resources: - destroyers/finalizers verbs: @@ -990,6 +1280,296 @@ rules: - create --- apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: project-v4-multigroup + app.kubernetes.io/instance: kraken-editor-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: project-v4-multigroup + name: project-v4-multigroup-sea-creatures-kraken-editor-role +rules: +- apiGroups: + - sea-creatures.testproject.org + resources: + - krakens + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - sea-creatures.testproject.org + resources: + - krakens/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: project-v4-multigroup + app.kubernetes.io/instance: kraken-viewer-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: project-v4-multigroup + name: project-v4-multigroup-sea-creatures-kraken-viewer-role +rules: +- apiGroups: + - sea-creatures.testproject.org + resources: + - krakens + verbs: + - get + - list + - watch +- apiGroups: + - sea-creatures.testproject.org + resources: + - krakens/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: project-v4-multigroup + app.kubernetes.io/instance: leviathan-editor-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: project-v4-multigroup + name: project-v4-multigroup-sea-creatures-leviathan-editor-role +rules: +- apiGroups: + - sea-creatures.testproject.org + resources: + - leviathans + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - sea-creatures.testproject.org + resources: + - leviathans/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: project-v4-multigroup + app.kubernetes.io/instance: leviathan-viewer-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: project-v4-multigroup + name: project-v4-multigroup-sea-creatures-leviathan-viewer-role +rules: +- apiGroups: + - sea-creatures.testproject.org + resources: + - leviathans + verbs: + - get + - list + - watch +- apiGroups: + - sea-creatures.testproject.org + resources: + - leviathans/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: project-v4-multigroup + app.kubernetes.io/instance: cruiser-editor-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: project-v4-multigroup + name: project-v4-multigroup-ship-cruiser-editor-role +rules: +- apiGroups: + - ship.testproject.org + resources: + - cruisers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - ship.testproject.org + resources: + - cruisers/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: project-v4-multigroup + app.kubernetes.io/instance: cruiser-viewer-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: project-v4-multigroup + name: project-v4-multigroup-ship-cruiser-viewer-role +rules: +- apiGroups: + - ship.testproject.org + resources: + - cruisers + verbs: + - get + - list + - watch +- apiGroups: + - ship.testproject.org + resources: + - cruisers/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: project-v4-multigroup + app.kubernetes.io/instance: destroyer-editor-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: project-v4-multigroup + name: project-v4-multigroup-ship-destroyer-editor-role +rules: +- apiGroups: + - ship.testproject.org + resources: + - destroyers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - ship.testproject.org + resources: + - destroyers/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: project-v4-multigroup + app.kubernetes.io/instance: destroyer-viewer-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: project-v4-multigroup + name: project-v4-multigroup-ship-destroyer-viewer-role +rules: +- apiGroups: + - ship.testproject.org + resources: + - destroyers + verbs: + - get + - list + - watch +- apiGroups: + - ship.testproject.org + resources: + - destroyers/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: project-v4-multigroup + app.kubernetes.io/instance: frigate-editor-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: project-v4-multigroup + name: project-v4-multigroup-ship-frigate-editor-role +rules: +- apiGroups: + - ship.testproject.org + resources: + - frigates + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - ship.testproject.org + resources: + - frigates/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: project-v4-multigroup + app.kubernetes.io/instance: frigate-viewer-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: project-v4-multigroup + name: project-v4-multigroup-ship-frigate-viewer-role +rules: +- apiGroups: + - ship.testproject.org + resources: + - frigates + verbs: + - get + - list + - watch +- apiGroups: + - ship.testproject.org + resources: + - frigates/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: diff --git a/testdata/project-v4-with-deploy-image/config/rbac/kustomization.yaml b/testdata/project-v4-with-deploy-image/config/rbac/kustomization.yaml index 731832a6ac3..2763dcf398a 100644 --- a/testdata/project-v4-with-deploy-image/config/rbac/kustomization.yaml +++ b/testdata/project-v4-with-deploy-image/config/rbac/kustomization.yaml @@ -16,3 +16,11 @@ resources: - auth_proxy_role.yaml - auth_proxy_role_binding.yaml - auth_proxy_client_clusterrole.yaml +# For each CRD, "Editor" and "Viewer" roles are scaffolded by +# default, aiding admins in cluster management. While optional +# for managers, who can modify or remove them, their removal +# means they won't be installed with your solution. +- busybox_editor_role.yaml +- busybox_viewer_role.yaml +- memcached_editor_role.yaml +- memcached_viewer_role.yaml diff --git a/testdata/project-v4-with-deploy-image/dist/install.yaml b/testdata/project-v4-with-deploy-image/dist/install.yaml index e439551580e..7c3de5749f2 100644 --- a/testdata/project-v4-with-deploy-image/dist/install.yaml +++ b/testdata/project-v4-with-deploy-image/dist/install.yaml @@ -340,6 +340,64 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: project-v4-with-deploy-image + app.kubernetes.io/instance: busybox-editor-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: project-v4-with-deploy-image + name: project-v4-with-deploy-image-busybox-editor-role +rules: +- apiGroups: + - example.com.testproject.org + resources: + - busyboxes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - example.com.testproject.org + resources: + - busyboxes/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: project-v4-with-deploy-image + app.kubernetes.io/instance: busybox-viewer-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: project-v4-with-deploy-image + name: project-v4-with-deploy-image-busybox-viewer-role +rules: +- apiGroups: + - example.com.testproject.org + resources: + - busyboxes + verbs: + - get + - list + - watch +- apiGroups: + - example.com.testproject.org + resources: + - busyboxes/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: name: project-v4-with-deploy-image-manager-role rules: @@ -425,6 +483,64 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: project-v4-with-deploy-image + app.kubernetes.io/instance: memcached-editor-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: project-v4-with-deploy-image + name: project-v4-with-deploy-image-memcached-editor-role +rules: +- apiGroups: + - example.com.testproject.org + resources: + - memcacheds + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - example.com.testproject.org + resources: + - memcacheds/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: project-v4-with-deploy-image + app.kubernetes.io/instance: memcached-viewer-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: project-v4-with-deploy-image + name: project-v4-with-deploy-image-memcached-viewer-role +rules: +- apiGroups: + - example.com.testproject.org + resources: + - memcacheds + verbs: + - get + - list + - watch +- apiGroups: + - example.com.testproject.org + resources: + - memcacheds/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: labels: app.kubernetes.io/component: kube-rbac-proxy diff --git a/testdata/project-v4/config/rbac/kustomization.yaml b/testdata/project-v4/config/rbac/kustomization.yaml index 731832a6ac3..e0fb32bdc03 100644 --- a/testdata/project-v4/config/rbac/kustomization.yaml +++ b/testdata/project-v4/config/rbac/kustomization.yaml @@ -16,3 +16,13 @@ resources: - auth_proxy_role.yaml - auth_proxy_role_binding.yaml - auth_proxy_client_clusterrole.yaml +# For each CRD, "Editor" and "Viewer" roles are scaffolded by +# default, aiding admins in cluster management. While optional +# for managers, who can modify or remove them, their removal +# means they won't be installed with your solution. +- admiral_editor_role.yaml +- admiral_viewer_role.yaml +- firstmate_editor_role.yaml +- firstmate_viewer_role.yaml +- captain_editor_role.yaml +- captain_viewer_role.yaml diff --git a/testdata/project-v4/dist/install.yaml b/testdata/project-v4/dist/install.yaml index 53cf691e997..adc1f4bb4e5 100644 --- a/testdata/project-v4/dist/install.yaml +++ b/testdata/project-v4/dist/install.yaml @@ -259,6 +259,180 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: project-v4 + app.kubernetes.io/instance: admiral-editor-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: project-v4 + name: project-v4-admiral-editor-role +rules: +- apiGroups: + - crew.testproject.org + resources: + - admirales + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - crew.testproject.org + resources: + - admirales/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: project-v4 + app.kubernetes.io/instance: admiral-viewer-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: project-v4 + name: project-v4-admiral-viewer-role +rules: +- apiGroups: + - crew.testproject.org + resources: + - admirales + verbs: + - get + - list + - watch +- apiGroups: + - crew.testproject.org + resources: + - admirales/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: project-v4 + app.kubernetes.io/instance: captain-editor-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: project-v4 + name: project-v4-captain-editor-role +rules: +- apiGroups: + - crew.testproject.org + resources: + - captains + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - crew.testproject.org + resources: + - captains/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: project-v4 + app.kubernetes.io/instance: captain-viewer-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: project-v4 + name: project-v4-captain-viewer-role +rules: +- apiGroups: + - crew.testproject.org + resources: + - captains + verbs: + - get + - list + - watch +- apiGroups: + - crew.testproject.org + resources: + - captains/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: project-v4 + app.kubernetes.io/instance: firstmate-editor-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: project-v4 + name: project-v4-firstmate-editor-role +rules: +- apiGroups: + - crew.testproject.org + resources: + - firstmates + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - crew.testproject.org + resources: + - firstmates/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: project-v4 + app.kubernetes.io/instance: firstmate-viewer-role + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: clusterrole + app.kubernetes.io/part-of: project-v4 + name: project-v4-firstmate-viewer-role +rules: +- apiGroups: + - crew.testproject.org + resources: + - firstmates + verbs: + - get + - list + - watch +- apiGroups: + - crew.testproject.org + resources: + - firstmates/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: name: project-v4-manager-role rules: