How can I support configuration of controller with slices of rbac/v1 PolicyRules

[mojochao]

I'm building a controller that needs to accept the optional configuration of two slices of rbac/v1 PolicyRule objects and use that data and am not sure of the best way to accomplish it.

The problem is this.

• The controller creates Role and ClusterRole objects for a Kubernetes user in a namespace
• The controller cannot know at compile time all RBAC group/version/kinds, only those that are standard Kubernetes API
• The controller needs to be able to read this data on extra policy rules into a var of type []*rbacv1.PolicyRule at controller init time
• The Kubebuilder book demonstrates how to add configuration of simple K/V data, but I can't find an example of how to configure things like slices of struct values

I could pass the yaml blocks for those slices in a config map under two env var keys if base64-encoded. Is there a more elegant/idiomatic solution?

Many thanks in advance!
-allen

[camilamacedo86]

Hi @mojochao,

First, it's essential to clarify a point about RBAC when working with Kubebuilder and Operators. The RBAC configuration pertains to the entire Operator project. It's not specified for each individual controller within the Operator. This means that when you set up permissions, it's at the broader Operator level rather than a specific controller.

Permission Consideration: An important thing to note is that by using this approach, your Manager will require permissions to manage Role and ClusterRole objects. Depending on your cluster's security policies, granting such permissions might raise concerns, so you'll need to evaluate this aspect carefully.

Following some possible approaches/ideas

Create an API/CRD and a Controller to manage the RBAC:

One potential approach might to be define a custom CRD, let's call it RBAConfig. Within its spec, you can allow users to provide configurations that match the rbacv1.PolicyRule structure.

Then, the controller responsible for reconcile the RBAConfig (i.e RBAConfigController) would be to monitor instances of the RBAConfig CRD and dynamically create the necessary Role or ClusterRole objects in response to changes in the RBAConfig resources.

Use API Discovery To Manage the RBACs when the manager initialize (cmd/main.go):

You might can use dynamically API discovery with something like:

// ... other imports ...
import (
    "k8s.io/client-go/discovery"
    "k8s.io/client-go/kubernetes"
)

// ... in your main function ...
config, err := config.GetConfig()
if err != nil {
    // Handle error
}

clientset, err := kubernetes.NewForConfig(config)
if err != nil {
    // Handle error
}

discoveryClient := discovery.NewDiscoveryClientForConfigOrDie(config)
apiGroups, err := discoveryClient.ServerGroups()
if err != nil {
    // Handle error
}

for _, group := range apiGroups.Groups {
    // Examine group.Name, group.Versions, etc. to understand available APIs
    // Process as required
}

I hope that helps you out and answer your question
Due the fact of it be open for too long (2021) I am closing this one
However, feel free to re-open if you see that is required.