Add CRD viewer and editor roles in rbac/kustomization.yaml

docs/book/src/component-config-tutorial/testdata/project/config/rbac/kustomization.yaml

@@ -16,3 +16,9 @@ resources:
 - auth_proxy_role.yaml
 - auth_proxy_role_binding.yaml
 - auth_proxy_client_clusterrole.yaml
+# For each CRD, "Editor" and "Viewer" roles are scaffolded by
+# default, aiding admins in cluster management. While optional
+# for managers, who can modify or remove them, their removal
+# means they won't be installed with your solution.
+- projectconfig_editor_role.yaml
+- projectconfig_viewer_role.yaml

docs/book/src/cronjob-tutorial/testdata/project/config/rbac/kustomization.yaml

@@ -16,3 +16,9 @@ resources:
 - auth_proxy_role.yaml
 - auth_proxy_role_binding.yaml
 - auth_proxy_client_clusterrole.yaml
+# For each CRD, "Editor" and "Viewer" roles are scaffolded by
+# default, aiding admins in cluster management. While optional
+# for managers, who can modify or remove them, their removal
+# means they won't be installed with your solution.
+- cronjob_editor_role.yaml
+- cronjob_viewer_role.yaml

docs/book/src/getting-started.md

@@ -464,7 +464,6 @@ After making the necessary changes, run the `make generate` command. This will p
 <h1>RBAC generate under config/rbac</h1>
 
 For each Kind, Kubebuilder will generate scaffold rules with view and edit permissions. (i.e. `memcached_editor_role.yaml` and `memcached_viewer_role.yaml`)
-Those rules are not applied on the cluster when you deploy your solution with `make deploy IMG=myregistery/example:1.0.0`.
 Those rules are aimed to help system admins know what to allow when granting permissions to a group of users.
 
 </aside>

docs/book/src/getting-started/testdata/project/config/rbac/kustomization.yaml

@@ -16,3 +16,9 @@ resources:
 - auth_proxy_role.yaml
 - auth_proxy_role_binding.yaml
 - auth_proxy_client_clusterrole.yaml
+# For each CRD, "Editor" and "Viewer" roles are scaffolded by
+# default, aiding admins in cluster management. While optional
+# for managers, who can modify or remove them, their removal
+# means they won't be installed with your solution.
+- memcached_editor_role.yaml
+- memcached_viewer_role.yaml

pkg/plugin/util/util.go

@@ -80,6 +80,23 @@ func InsertCode(filename, target, code string) error {
 	return os.WriteFile(filename, []byte(out), 0644)
 }
 
+// InsertCodeIfNotExist insert code if it does not already exists
+func InsertCodeIfNotExist(filename, target, code string) error {
+	// false positive
+	// nolint:gosec
+	contents, err := os.ReadFile(filename)
+	if err != nil {
+		return err
+	}
+
+	idx := strings.Index(string(contents), code)
+	if idx != -1 {
+		return nil
+	}
+
+	return InsertCode(filename, target, code)
+}
+
 // UncommentCode searches for target in the file and remove the comment prefix
 // of the target content. The target content may span multiple lines.
 func UncommentCode(filename, target, prefix string) error {

pkg/plugins/common/kustomize/v2/scaffolds/api.go

@@ -18,6 +18,7 @@ package scaffolds
 
 import (
 	"fmt"
+	"strings"
 
 	pluginutil "sigs.k8s.io/kubebuilder/v3/pkg/plugin/util"
 	"sigs.k8s.io/kubebuilder/v3/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/crd"
@@ -98,6 +99,30 @@ func (s *apiScaffolder) Scaffold() error {
 					"%s.", kustomizeFilePath)
 			}
 		}
+
+		// Add scaffolded CRD Editor and Viewer roles in config/rbac/kustomization.yaml
+		rbacKustomizeFilePath := "config/rbac/kustomization.yaml"
+		comment := `
+# For each CRD, "Editor" and "Viewer" roles are scaffolded by
+# default, aiding admins in cluster management. While optional
+# for managers, who can modify or remove them, their removal
+# means they won't be installed with your solution.`
+		err = pluginutil.InsertCodeIfNotExist(rbacKustomizeFilePath,
+			"- auth_proxy_client_clusterrole.yaml", comment)
+		if err != nil {
+			log.Errorf("Unable to add a comment in the file "+
+				"%s.", rbacKustomizeFilePath)
+		}
+		crdName := strings.ToLower(s.resource.Kind)
+		if s.config.IsMultiGroup() && s.resource.Group != "" {
+			crdName = strings.ToLower(s.resource.Group) + "_"  + crdName
+		}
+		err = pluginutil.InsertCodeIfNotExist(rbacKustomizeFilePath, comment,
+			fmt.Sprintf("\n- %[1]s_editor_role.yaml\n- %[1]s_viewer_role.yaml", crdName))
+		if err != nil {
+			log.Errorf("Unable to add Editor and Viewer roles in the file "+
+				"%s.", rbacKustomizeFilePath)
+		}
 	}
 
 	return nil

test/e2e/v4/plugin_cluster_test.go

@@ -271,21 +271,6 @@ func Run(kbc *utils.TestContext, hasWebhook, isToUseInstaller bool) {
 		return err
 	}, time.Minute, time.Second).Should(Succeed())
 
-	By("applying the CRD Editor Role")
-	crdEditorRole := filepath.Join("config", "rbac",
-		fmt.Sprintf("%s_editor_role.yaml", strings.ToLower(kbc.Kind)))
-	EventuallyWithOffset(1, func() error {
-		_, err = kbc.Kubectl.Apply(true, "-f", crdEditorRole)
-		return err
-	}, time.Minute, time.Second).Should(Succeed())
-
-	By("applying the CRD Viewer Role")
-	crdViewerRole := filepath.Join("config", "rbac", fmt.Sprintf("%s_viewer_role.yaml", strings.ToLower(kbc.Kind)))
-	EventuallyWithOffset(1, func() error {
-		_, err = kbc.Kubectl.Apply(true, "-f", crdViewerRole)
-		return err
-	}, time.Minute, time.Second).Should(Succeed())
-
 	By("validating that the created resource object gets reconciled in the controller")
 	metricsOutput := curlMetrics(kbc)
 	ExpectWithOffset(1, metricsOutput).To(ContainSubstring(fmt.Sprintf(

testdata/project-v4-multigroup-with-deploy-image/config/rbac/kustomization.yaml

@@ -16,3 +16,27 @@ resources:
 - auth_proxy_role.yaml
 - auth_proxy_role_binding.yaml
 - auth_proxy_client_clusterrole.yaml
+# For each CRD, "Editor" and "Viewer" roles are scaffolded by
+# default, aiding admins in cluster management. While optional
+# for managers, who can modify or remove them, their removal
+# means they won't be installed with your solution.
+- lakers_editor_role.yaml
+- lakers_viewer_role.yaml
+- fiz_bar_editor_role.yaml
+- fiz_bar_viewer_role.yaml
+- foo_bar_editor_role.yaml
+- foo_bar_viewer_role.yaml
+- foo.policy_healthcheckpolicy_editor_role.yaml
+- foo.policy_healthcheckpolicy_viewer_role.yaml
+- sea-creatures_leviathan_editor_role.yaml
+- sea-creatures_leviathan_viewer_role.yaml
+- sea-creatures_kraken_editor_role.yaml
+- sea-creatures_kraken_viewer_role.yaml
+- ship_cruiser_editor_role.yaml
+- ship_cruiser_viewer_role.yaml
+- ship_destroyer_editor_role.yaml
+- ship_destroyer_viewer_role.yaml
+- ship_frigate_editor_role.yaml
+- ship_frigate_viewer_role.yaml
+- crew_captain_editor_role.yaml
+- crew_captain_viewer_role.yaml

testdata/project-v4-multigroup/config/rbac/kustomization.yaml

@@ -16,3 +16,27 @@ resources:
 - auth_proxy_role.yaml
 - auth_proxy_role_binding.yaml
 - auth_proxy_client_clusterrole.yaml
+# For each CRD, "Editor" and "Viewer" roles are scaffolded by
+# default, aiding admins in cluster management. While optional
+# for managers, who can modify or remove them, their removal
+# means they won't be installed with your solution.
+- lakers_editor_role.yaml
+- lakers_viewer_role.yaml
+- fiz_bar_editor_role.yaml
+- fiz_bar_viewer_role.yaml
+- foo_bar_editor_role.yaml
+- foo_bar_viewer_role.yaml
+- foo.policy_healthcheckpolicy_editor_role.yaml
+- foo.policy_healthcheckpolicy_viewer_role.yaml
+- sea-creatures_leviathan_editor_role.yaml
+- sea-creatures_leviathan_viewer_role.yaml
+- sea-creatures_kraken_editor_role.yaml
+- sea-creatures_kraken_viewer_role.yaml
+- ship_cruiser_editor_role.yaml
+- ship_cruiser_viewer_role.yaml
+- ship_destroyer_editor_role.yaml
+- ship_destroyer_viewer_role.yaml
+- ship_frigate_editor_role.yaml
+- ship_frigate_viewer_role.yaml
+- crew_captain_editor_role.yaml
+- crew_captain_viewer_role.yaml

testdata/project-v4-with-deploy-image/config/rbac/kustomization.yaml

@@ -16,3 +16,11 @@ resources:
 - auth_proxy_role.yaml
 - auth_proxy_role_binding.yaml
 - auth_proxy_client_clusterrole.yaml
+# For each CRD, "Editor" and "Viewer" roles are scaffolded by
+# default, aiding admins in cluster management. While optional
+# for managers, who can modify or remove them, their removal
+# means they won't be installed with your solution.
+- busybox_editor_role.yaml
+- busybox_viewer_role.yaml
+- memcached_editor_role.yaml
+- memcached_viewer_role.yaml

testdata/project-v4-with-deploy-image/dist/install.yaml

@@ -340,6 +340,64 @@ rules:
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: project-v4-with-deploy-image
+    app.kubernetes.io/instance: busybox-editor-role
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/name: clusterrole
+    app.kubernetes.io/part-of: project-v4-with-deploy-image
+  name: project-v4-with-deploy-image-busybox-editor-role
+rules:
+- apiGroups:
+  - example.com.testproject.org
+  resources:
+  - busyboxes
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - example.com.testproject.org
+  resources:
+  - busyboxes/status
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: project-v4-with-deploy-image
+    app.kubernetes.io/instance: busybox-viewer-role
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/name: clusterrole
+    app.kubernetes.io/part-of: project-v4-with-deploy-image
+  name: project-v4-with-deploy-image-busybox-viewer-role
+rules:
+- apiGroups:
+  - example.com.testproject.org
+  resources:
+  - busyboxes
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - example.com.testproject.org
+  resources:
+  - busyboxes/status
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
 metadata:
   name: project-v4-with-deploy-image-manager-role
 rules:
@@ -425,6 +483,64 @@ rules:
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: project-v4-with-deploy-image
+    app.kubernetes.io/instance: memcached-editor-role
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/name: clusterrole
+    app.kubernetes.io/part-of: project-v4-with-deploy-image
+  name: project-v4-with-deploy-image-memcached-editor-role
+rules:
+- apiGroups:
+  - example.com.testproject.org
+  resources:
+  - memcacheds
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - example.com.testproject.org
+  resources:
+  - memcacheds/status
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: project-v4-with-deploy-image
+    app.kubernetes.io/instance: memcached-viewer-role
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/name: clusterrole
+    app.kubernetes.io/part-of: project-v4-with-deploy-image
+  name: project-v4-with-deploy-image-memcached-viewer-role
+rules:
+- apiGroups:
+  - example.com.testproject.org
+  resources:
+  - memcacheds
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - example.com.testproject.org
+  resources:
+  - memcacheds/status
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/component: kube-rbac-proxy

testdata/project-v4/config/rbac/kustomization.yaml

@@ -16,3 +16,13 @@ resources:
 - auth_proxy_role.yaml
 - auth_proxy_role_binding.yaml
 - auth_proxy_client_clusterrole.yaml
+# For each CRD, "Editor" and "Viewer" roles are scaffolded by
+# default, aiding admins in cluster management. While optional
+# for managers, who can modify or remove them, their removal
+# means they won't be installed with your solution.
+- admiral_editor_role.yaml
+- admiral_viewer_role.yaml
+- firstmate_editor_role.yaml
+- firstmate_viewer_role.yaml
+- captain_editor_role.yaml
+- captain_viewer_role.yaml