-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
✨ (kustomize/v2): Add CRD viewer and editor roles in rbac/kustomization.yaml #3800
Conversation
Welcome @lunarwhite! |
Hi @lunarwhite. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Hi @camilamacedo86, you could take a look whenever you get a chance. Thanks! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/ok-to-test
Hi @camilamacedo86, I'd appreciate it if you could take a look at this PR^^ |
@@ -16,3 +16,6 @@ resources: | |||
- auth_proxy_role.yaml | |||
- auth_proxy_role_binding.yaml | |||
- auth_proxy_client_clusterrole.yaml | |||
# Editor and Viewer roles for each CRD to be used by end users. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we add a better comment here to clarify why it is scaffold/when it is useful?
Example/Suggestion
For each CRD, "Editor" and "Viewer" roles are scaffolded by default, aiding admins in cluster management. While optional for managers, who can modify or remove them, their removal means they won't be installed with your solution.
docs/book/src/getting-started.md
Outdated
// If there's an error, then restart from the beginning of the reconcile | ||
if err != nil { | ||
return reconcile.Result{}, err | ||
} | ||
|
||
// Look for Database CR/CRD | ||
// Look for Database CR/CRD |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
those changes make no part of this PR please rebase with master and if it still
revert
@@ -60,4 +60,5 @@ const kustomizeRBACTemplate = `resources: | |||
- auth_proxy_role.yaml | |||
- auth_proxy_role_binding.yaml | |||
- auth_proxy_client_clusterrole.yaml | |||
# Editor and Viewer roles for each CRD to be used by end users. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Lets just add this line when we create/scaffold an API and not via the init by default.
WDYT?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree, it would be more clear.
Do we still need to add a marker (such as #+kubebuilder:scaffold:..
) as the InsertCode's target in this kustomization file? Or is there any better approach? I'd appreciate it if you could shed some more light on this!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, just insert this line when we create the first API. Because today we create the file when we run kb init. So, if nobody run create API project than would not make sense have the comment without any API/CRD bellow right?
If you see that is to hard and get stuck that is fine we can move with it as it is.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @lunarwhite
Really great work 🥇
It is amazing !!!
Just a few details / small nits suggestions and then I think we are ready to get merged this one. Could you please give a look?
@@ -16,3 +16,9 @@ resources: | |||
- auth_proxy_role.yaml |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You request this one. What do you think?
Is that addressing your need?
94952ab
to
bc40b32
Compare
@camilamacedo86, just found that ...
make[1]: Entering directory '/workspaces/kubebuilder/testdata/project-v4-multigroup'
/workspaces/kubebuilder/testdata/project-v4-multigroup/bin/controller-gen-v0.14.0 rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases
/workspaces/kubebuilder/testdata/project-v4-multigroup/bin/controller-gen-v0.14.0 object:headerFile="hack/boilerplate.go.txt" paths="./..."
Downloading sigs.k8s.io/kustomize/kustomize/v5@v5.3.0
mkdir -p dist
cd config/manager && /workspaces/kubebuilder/testdata/project-v4-multigroup/bin/kustomize-v5.3.0 edit set image controller=controller:latest
/workspaces/kubebuilder/testdata/project-v4-multigroup/bin/kustomize-v5.3.0 build config/default > dist/install.yaml
Error: accumulating resources: accumulation err='accumulating resources from '../rbac': '/workspaces/kubebuilder/testdata/project-v4-multigroup/config/rbac' must resolve to a file': recursed accumulation of path '/workspaces/kubebuilder/testdata/project-v4-multigroup/config/rbac': accumulating resources: accumulation err='merging resources from 'foo_bar_editor_role.yaml': may not add resource with an already registered id: ClusterRole.v1.rbac.authorization.k8s.io/bar-editor-role.[noNs]': must build at directory: '/workspaces/kubebuilder/testdata/project-v4-multigroup/config/rbac/foo_bar_editor_role.yaml': file is not directory
make[1]: *** [Makefile:121: build-installer] Error 1
make[1]: Leaving directory '/workspaces/kubebuilder/testdata/project-v4-multigroup'
make: *** [Makefile:80: generate-testdata] Error 2 One is:
It may indicate that there is more than one ClusterRole named "bar-editor-role" under project-v4-multigroup: Do you have any idea? Should we ensure that the names of scaffolded ClusterRoles are unique? |
Hi @lunarwhite Before you do the rebase the dist/install.yaml was not been generating to multi-group layouts due a bug in the scaffold that was solved with the PR: https://github.com/kubernetes-sigs/kubebuilder/pull/3838/files So, that means we probably have an issue with the edit/view roles generated in this scenario which requires a fix. The issue is:
Then, what we need to do is start to: if is multigroup layour and the resource has a group we should use in the name of the RBAC rule. That is the issue Edit and View Rules are not using the Group name when the project has multi-group layout support. See the fix: #3845 |
# For each CRD, "Editor" and "Viewer" roles are scaffolded by | ||
# default, aiding admins in cluster management. While optional | ||
# for managers, who can modify or remove them, their removal | ||
# means they won't be installed with your solution. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, now I check the comment here better.
See that Manager means the "cmd/main.go" -> The Project Itself
We call Manager because it Manages Controllers
So, i think we need to improve this comment here.
# For each CRD, "Editor" and "Viewer" roles are scaffolded by
# default, aiding admins in cluster management. Those roles are
# not used by the Project itself. You can comment the following lines
# if you do not want those helpers be installed with your Project.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, I did not check properly the comment
See we just need to address this nit: https://github.com/kubernetes-sigs/kubebuilder/pull/3800/files#r1554527783
Then, I am happy to approve this one for we get this one merged
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/approved
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: camilamacedo86, lunarwhite The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/override pull-kubebuilder-e2e-k8s-1-29-2 |
@camilamacedo86: Overrode contexts on behalf of camilamacedo86: pull-kubebuilder-e2e-k8s-1-29-2 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/override pull-kubebuilder-e2e-k8s-1-29-2 Reason:https://kubernetes.slack.com/archives/CCK68P2Q2/p1712378775102839 |
@camilamacedo86: Overrode contexts on behalf of camilamacedo86: pull-kubebuilder-e2e-k8s-1-29-2 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/lgtm |
/override pull-kubebuilder-e2e-k8s-1-29-2 Reason:https://kubernetes.slack.com/archives/CCK68P2Q2/p1712378775102839 |
@camilamacedo86: Overrode contexts on behalf of camilamacedo86: pull-kubebuilder-e2e-k8s-1-29-2 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/override pull-kubebuilder-e2e-k8s-1-29-2 |
@camilamacedo86: Overrode contexts on behalf of camilamacedo86: pull-kubebuilder-e2e-k8s-1-29-2 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Description
Fixes #3782
Add the logic to insert generated roles into kustomization file when executing
kubebuilder create api
.Cleanup