Skip to content

Commit

Permalink
feat: Implement MetaSelector + target details on DynamicRoleBinding
Browse files Browse the repository at this point in the history 
Co-Authored-By: Sebastián Vargas <[email protected]>
  • Loading branch information
@achetronic @sebastocorp
achetronic and sebastocorp committed Aug 6, 2024
1 parent 778ff6e commit c597340
Show file tree
Hide file tree
Showing 8 changed files with 224 additions and 54 deletions.
23 changes: 23 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,8 @@ spec:
# Desired name for produced ClusterRole
target:
name: example-policy
annotations: {}
labels: {}
# This is where the allowed policies are expressed
# Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/
Expand Down Expand Up @@ -223,7 +225,18 @@ spec:
apiGroup: ""
kind: ServiceAccount
# (Optional)
# ServiceAccounts can be selected by some metadata
# This field is mutually exclusive with 'nameSelector'
metaSelector:
# Select by matching labels
matchLabels:
managed-by: custom-operator
# (Optional)
# ServiceAccount names can be matched by exact name, or a Golang regular expression.
# This field is mutually exclusive with 'metaSelector'
# Attention: Only one can be performed.
nameSelector:
Expand All @@ -239,6 +252,7 @@ spec:
# negative: false
# expression: "^(.*)$"
# (Optional)
# To look for a ServiceAccount, namespaces can be matched by exact name,
# by their labels, or a Golang regular expression.
# Attention: Only one can be performed.
Expand All @@ -264,6 +278,15 @@ spec:
# For those members selected in the previous section
targets:
# (Required)
# Name of the RoleBinding objects to be created
name: example-policy
# Add some metadata to the RoleBinding objects
annotations: {}
labels: {}
# (Optional)
# Target namespaces can be matched by exact name,
# by their labels, or a Golang regular expression.
# Attention: Only one can be performed.
Expand Down
16 changes: 13 additions & 3 deletions api/v1alpha1/dynamicrolebinding_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,12 @@ import (

type MatchRegexT struct {
Negative bool `json:"negative,omitempty"`
Expression string `json:"expression"`
Expression string `json:"expression,omitempty"`
}

// TODO
type MetaSelectorT struct {
MatchLabels map[string]string `json:"matchLabels,omitempty"`
}

// TODO
Expand All @@ -43,7 +48,8 @@ type DynamicRoleBindingSourceSubject struct {
ApiGroup string `json:"apiGroup"`
Kind string `json:"kind"`

NameSelector NameSelectorT `json:"nameSelector"`
MetaSelector MetaSelectorT `json:"metaSelector,omitempty"`
NameSelector NameSelectorT `json:"nameSelector,omitempty"`
NamespaceSelector NamespaceSelectorT `json:"namespaceSelector,omitempty"`
}

Expand All @@ -56,7 +62,11 @@ type DynamicRoleBindingSource struct {

// TODO
type DynamicRoleBindingTargets struct {
NamespaceSelector NamespaceSelectorT `json:"namespaceSelector"`
Name string `json:"name"`
Annotations map[string]string `json:"annotations,omitempty"`
Labels map[string]string `json:"labels,omitempty"`

NamespaceSelector NamespaceSelectorT `json:"namespaceSelector,omitempty"`
}

// DynamicRoleBindingSpec defines the desired state of DynamicRoleBinding
Expand Down
37 changes: 37 additions & 0 deletions api/v1alpha1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

27 changes: 19 additions & 8 deletions config/crd/bases/kuberbac.prosimcorp.com_dynamicrolebindings.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,14 @@ spec:
type: string
kind:
type: string
metaSelector:
description: TODO
properties:
matchLabels:
additionalProperties:
type: string
type: object
type: object
nameSelector:
description: TODO
properties:
Expand All @@ -65,8 +73,6 @@ spec:
type: string
negative:
type: boolean
required:
- expression
type: object
type: object
namespaceSelector:
Expand All @@ -86,14 +92,11 @@ spec:
type: string
negative:
type: boolean
required:
- expression
type: object
type: object
required:
- apiGroup
- kind
- nameSelector
type: object
required:
- clusterRole
Expand All @@ -110,6 +113,16 @@ spec:
targets:
description: TODO
properties:
annotations:
additionalProperties:
type: string
type: object
labels:
additionalProperties:
type: string
type: object
name:
type: string
namespaceSelector:
description: TODO
properties:
Expand All @@ -127,12 +140,10 @@ spec:
type: string
negative:
type: boolean
required:
- expression
type: object
type: object
required:
- namespaceSelector
- name
type: object
required:
- source
Expand Down
2 changes: 2 additions & 0 deletions config/samples/kuberbac_v1alpha1_dynamicclusterrole.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@ spec:
# Desired name for produced ClusterRole
target:
name: example-policy
annotations: {}
labels: {}

# This is where the allowed policies are expressed
# Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/
Expand Down
21 changes: 21 additions & 0 deletions config/samples/kuberbac_v1alpha1_dynamicrolebinding.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,18 @@ spec:
apiGroup: ""
kind: ServiceAccount

# (Optional)
# ServiceAccounts can be selected by some metadata
# This field is mutually exclusive with 'nameSelector'
metaSelector:

# Select by matching labels
matchLabels:
managed-by: custom-operator

# (Optional)
# ServiceAccount names can be matched by exact name, or a Golang regular expression.
# This field is mutually exclusive with 'metaSelector'
# Attention: Only one can be performed.
nameSelector:

Expand All @@ -59,6 +70,7 @@ spec:
# negative: false
# expression: "^(.*)$"

# (Optional)
# To look for a ServiceAccount, namespaces can be matched by exact name,
# by their labels, or a Golang regular expression.
# Attention: Only one can be performed.
Expand All @@ -84,6 +96,15 @@ spec:
# For those members selected in the previous section
targets:

# (Required)
# Name of the RoleBinding objects to be created
name: example-policy

# Add some metadata to the RoleBinding objects
annotations: {}
labels: {}

# (Optional)
# Target namespaces can be matched by exact name,
# by their labels, or a Golang regular expression.
# Attention: Only one can be performed.
Expand Down
24 changes: 23 additions & 1 deletion docs/prototype/dynamicRoleBinding.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,18 @@ spec:
apiGroup: ""
kind: ServiceAccount

# (Optional)
# ServiceAccounts can be selected by some metadata
# This field is mutually exclusive with 'nameSelector'
metaSelector:

# Select by matching labels
matchLabels:
managed-by: custom-operator

# (Optional)
# ServiceAccount names can be matched by exact name, or a Golang regular expression.
# This field is mutually exclusive with 'metaSelector'
# Attention: Only one can be performed.
nameSelector:

Expand All @@ -59,6 +70,7 @@ spec:
# negative: false
# expression: "^(.*)$"

# (Optional)
# To look for a ServiceAccount, namespaces can be matched by exact name,
# by their labels, or a Golang regular expression.
# Attention: Only one can be performed.
Expand All @@ -84,6 +96,15 @@ spec:
# For those members selected in the previous section
targets:

# (Required)
# Name of the RoleBinding objects to be created
name: example-policy

# Add some metadata to the RoleBinding objects
annotations: {}
labels: {}

# (Optional)
# Target namespaces can be matched by exact name,
# by their labels, or a Golang regular expression.
# Attention: Only one can be performed.
Expand All @@ -102,4 +123,5 @@ spec:
# Select those ServiceAccounts in namespaces different from: kube-system, kube-public or default
# matchRegex:
# negative: true
# expression: "^(default|kube-system|kube-public)$"
# expression: "^(default|kube-system|kube-public)$"

Loading

0 comments on commit c597340

Please sign in to comment.