Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

document how subjects works with set-namespace #566

Merged
merged 2 commits into from
Sep 8, 2021
Merged

document how subjects works with set-namespace #566

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
96aa2e8
document how subjects works with set-namespace
Sep 3, 2021
8a2f0cb
Merge branch 'GoogleContainerTools:master' into subjectsdoc
Sep 7, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 20 additions & 4 deletions functions/go/set-namespace/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,10 +36,26 @@ by default the function will also update the [fields][commonnamespace] that
target the namespace. There are a few cases that worth pointing out:

- If there is a `Namespace` resource, its `metadata.name` field will be updated.
- If it's a `RoleBinding` or `ClusterRoleBinding` resource, `subject` can
reference either a namespaced resource or a cluster-scoped resource. When
there are references to namespace in the `subject` fields, they will be
updated by the function.
- If there's a `RoleBinding` or `ClusterRoleBinding` resource, the function will
update the namespace in the `ServiceAccount` if and only if the subject
element `name` is `default`. In the following example, the `set-namespace`
function will update `subjects.namespace` since the
corresponding `subjects.name` is `default`.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we have this limitation ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This behavior is inherited from kustomize. The users may not always want to change subjects.namespace in RoleBinding and ClusterRoleBinding. With this behavior, the user can control if the they want the namespace to be updated.
IMO when we have the resource selector feature, we will no longer need this feature.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@natasha41575 Do you have any insights about that behavior in kustomize?


```yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
...
subjects:
- kind: ServiceAccount
name: default # <======== using name default here
namespace: original-namespace
roleRef:
kind: Role
name: confluent-operator
apiGroup: rbac.authorization.k8s.io
```

This function can be used both declaratively and imperatively.

Expand Down