Skip to content
Permalink
Browse files

feat(rbac) : add editor and viewer role for crds

  • Loading branch information
camilamacedo86 committed Nov 8, 2019
1 parent dc32e46 commit 081a11447d495179043527a2139c031ef276181c
@@ -185,6 +185,8 @@ func (api *API) scaffoldV2() error {
Resource: r},
&scaffoldv2.Group{Resource: r},
&scaffoldv2.CRDSample{Resource: r},
&scaffoldv2.CRDEditorRole{Resource: r},
&scaffoldv2.CRDViewerRole{Resource: r},
&crdv2.EnableWebhookPatch{Resource: r},
&crdv2.EnableCAInjectionPatch{Resource: r},
}
@@ -0,0 +1,79 @@
/*
Copyright 2018 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package v2

import (
"fmt"
"path/filepath"
"strings"

"sigs.k8s.io/kubebuilder/pkg/scaffold/input"
"sigs.k8s.io/kubebuilder/pkg/scaffold/resource"
)

var _ input.File = &CRDEditorRole{}

// CRD Editor role scaffolds the config/rbca/<kind>_editor_role.yaml
type CRDEditorRole struct {
input.Input

// Resource is a resource in the API group
Resource *resource.Resource
}

// GetInput implements input.File
func (g *CRDEditorRole) GetInput() (input.Input, error) {
if g.Path == "" {
g.Path = filepath.Join("config", "rbac", fmt.Sprintf("%s_editor_role.yaml", strings.ToLower(g.Resource.Kind)))
}

g.TemplateBody = crdRoleEditorTemplate
return g.Input, nil
}

// Validate validates the values
func (g *CRDEditorRole) Validate() error {
return g.Resource.Validate()
}

const crdRoleEditorTemplate = `# permissions to do edit {{ .Resource.Resource }}.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ lower .Resource.Kind }}-editor-role
rules:
- apiGroups:
- {{ .Resource.Group }}.{{ .Domain }}
resources:
- {{ .Resource.Resource }}
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- {{ .Resource.Group }}.{{ .Domain }}
resources:
- {{ .Resource.Resource }}/status
verbs:
- get
- patch
- update
`
@@ -0,0 +1,73 @@
/*
Copyright 2018 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package v2

import (
"fmt"
"path/filepath"
"strings"

"sigs.k8s.io/kubebuilder/pkg/scaffold/input"
"sigs.k8s.io/kubebuilder/pkg/scaffold/resource"
)

var _ input.File = &CRDViewerRole{}

// CRD Viewer role scaffolds the config/rbca/<kind>_viewer_role.yaml
type CRDViewerRole struct {
input.Input

// Resource is a resource in the API group
Resource *resource.Resource
}

// GetInput implements input.File
func (g *CRDViewerRole) GetInput() (input.Input, error) {
if g.Path == "" {
g.Path = filepath.Join("config", "rbac", fmt.Sprintf("%s_viewer_role.yaml", strings.ToLower(g.Resource.Kind)))
}

g.TemplateBody = crdRoleViewerTemplate
return g.Input, nil
}

// Validate validates the values
func (g *CRDViewerRole) Validate() error {
return g.Resource.Validate()
}

const crdRoleViewerTemplate = `# permissions to do viewer {{ .Resource.Resource }}.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ lower .Resource.Kind }}-viewer-role
rules:
- apiGroups:
- {{ .Resource.Group }}.{{ .Domain }}
resources:
- {{ .Resource.Resource }}
verbs:
- get
- list
- watch
- apiGroups:
- {{ .Resource.Group }}.{{ .Domain }}
resources:
- {{ .Resource.Resource }}/status
verbs:
- get
`
@@ -246,6 +246,20 @@ var _ = Describe("kubebuilder", func() {
return err
}, time.Minute, time.Second).Should(Succeed())

By("applying CRD Editor Role")
crdEditorRole := filepath.Join("config", "rbac", fmt.Sprintf("%s_editor_role.yaml", strings.ToLower(kbc.Kind)))
Eventually(func() error {
_, err = kbc.Kubectl.Apply(true, "-f", crdEditorRole)
return err
}, time.Minute, time.Second).Should(Succeed())

By("applying CRD Viewer Role")
crdViewerRole := filepath.Join("config", "rbac", fmt.Sprintf("%s_viewer_role.yaml", strings.ToLower(kbc.Kind)))
Eventually(func() error {
_, err = kbc.Kubectl.Apply(true, "-f", crdViewerRole)
return err
}, time.Minute, time.Second).Should(Succeed())

By("validate the created resource object gets reconciled in controller")
managerContainerLogs := func() string {
logOutput, err := kbc.Kubectl.Logs(controllerPodName, "-c", "manager")
@@ -0,0 +1,26 @@
# permissions to do edit admirals.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: admiral-editor-role
rules:
- apiGroups:
- crew.testproject.org
resources:
- admirals
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- crew.testproject.org
resources:
- admirals/status
verbs:
- get
- patch
- update
@@ -0,0 +1,20 @@
# permissions to do viewer admirals.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: admiral-viewer-role
rules:
- apiGroups:
- crew.testproject.org
resources:
- admirals
verbs:
- get
- list
- watch
- apiGroups:
- crew.testproject.org
resources:
- admirals/status
verbs:
- get
@@ -0,0 +1,26 @@
# permissions to do edit captains.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: captain-editor-role
rules:
- apiGroups:
- crew.testproject.org
resources:
- captains
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- crew.testproject.org
resources:
- captains/status
verbs:
- get
- patch
- update
@@ -0,0 +1,20 @@
# permissions to do viewer captains.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: captain-viewer-role
rules:
- apiGroups:
- crew.testproject.org
resources:
- captains
verbs:
- get
- list
- watch
- apiGroups:
- crew.testproject.org
resources:
- captains/status
verbs:
- get
@@ -0,0 +1,26 @@
# permissions to do edit firstmates.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: firstmate-editor-role
rules:
- apiGroups:
- crew.testproject.org
resources:
- firstmates
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- crew.testproject.org
resources:
- firstmates/status
verbs:
- get
- patch
- update
@@ -0,0 +1,20 @@
# permissions to do viewer firstmates.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: firstmate-viewer-role
rules:
- apiGroups:
- crew.testproject.org
resources:
- firstmates
verbs:
- get
- list
- watch
- apiGroups:
- crew.testproject.org
resources:
- firstmates/status
verbs:
- get

0 comments on commit 081a114

Please sign in to comment.
You can’t perform that action at this time.