v0.4.2

Fixes:

• Delete generated targets on resource deletion: previously, when deleting DynamicClusterRole or DynamicRoleBinding resources, the targets that were generated with them were not removed. This was not the intended behavior so here we go with a fix for that

• Show resource status on kubectl get {resource} requests: this will help ops people to debug faster the status of the created resource. This fix will show three new colums READY, STATUS and AGE

Contributors:
@achetronic

v0.4.1

Fixes:

• Ignore NotFound error when evaluating targets.clusterScoped on DynamicRoleBinding: We were breaking the flow when any type of error was thrown. Not found is not considered an error by the controller at that point

• Add permissions to allow the controller treat ClusterRoleBinding resources

Contributors:
@sebastocorp @achetronic

v0.4.0

Features:

• Add metaSelector.matchAnnotations to the subject in DynamicRoleBinding: This is useful in cases where it's not possible to select by labels as labels can not be always changed in ServiceAccounts due to company deployments, etc. For those people, now it's possible to select by matching annotations

• Add clusterScoped flag to DynamicRoleBinding. This flag create a ClusterRoleBinding for the subjects instead of RoleBindings on selected namespaces

Contributors:
@sebastocorp @achetronic

v0.3.0

Features:

• Include target.separateScopes field on DynamicClusterRole resource: This will generate two ClusterRoles instead of one. One of them (suffixed -cluster) is filled with cluster-wide resources and the other (siffixed -namespace) is filled with namespaced-scoped resources.

  This separation is useful to attach cluster-wide resources to a subject using a ClusterRoleBinding, and attach namespace-scoped resources using RoleBindings

Fixes:

• DynamicClusterRole controller now set ownership annotations on its resulting ClusterRole resources

Contributors:
@sebastocorp @achetronic

v0.2.0

Features:

• Include subject.metaSelector field on DynamicRoleBinding resource: This is mutually exclusive with nameSelector and is useful for situations where automated systems create ServiceAccounts with unpredictable-pattern names

• Include target.name, target.labels and target.annotations fields. This is useful to produce RoleBinding resources with desired metadata

Fixes:

• Fix examples for DynamicRoleBinding resources

Contributors:
@sebastocorp @achetronic

v0.1.1

Fixes:

• Include bind and escalate verbs on ClusterRole used by the controllers to perform actions: we need this kind of privileges to manage RBAC resources

Contributors:
@sebastocorp @achetronic

v0.1.0

Highlights:

• Ability to manage dynamic ClusterRole resources using DynamicClusterRole: This type of resource can be used to create ClusterRole resources with allow/deny sections to produce a Kubernetes additive-only approach. These resources must be atomic, so only those things expressed as allow policies, can have some deny counterpart.

• Ability to manage dynamic RoleBinding resources using DynamicRoleBinding: This resource type is able to link an existing ClusterRole with a subject that can be expressed dynamically, looking for them by Kubernetes labels, regular expressions, etc.

• Examples added into samples directory

• Friendly messages on our custom resources: potential failures can be debugged with ease observing the logs or status.conditions

• Helpful README: examples for deployment and several use cases

Contributors:
@sebastocorp @achetronic