Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(rbac) : add editor and viewer role for crds
- Loading branch information
1 parent
dc32e46
commit 18db06b
Showing
10 changed files
with
306 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,79 @@ | ||
/* | ||
Copyright 2018 The Kubernetes Authors. | ||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
http://www.apache.org/licenses/LICENSE-2.0 | ||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
package v2 | ||
|
||
import ( | ||
"fmt" | ||
"path/filepath" | ||
"strings" | ||
|
||
"sigs.k8s.io/kubebuilder/pkg/scaffold/input" | ||
"sigs.k8s.io/kubebuilder/pkg/scaffold/resource" | ||
) | ||
|
||
var _ input.File = &CRDEditorRole{} | ||
|
||
// CRD Editor role scaffolds the config/rbca/<kind>_editor_role.yaml | ||
type CRDEditorRole struct { | ||
input.Input | ||
|
||
// Resource is a resource in the API group | ||
Resource *resource.Resource | ||
} | ||
|
||
// GetInput implements input.File | ||
func (g *CRDEditorRole) GetInput() (input.Input, error) { | ||
if g.Path == "" { | ||
g.Path = filepath.Join("config", "rbac", fmt.Sprintf("%s_editor_role.yaml", strings.ToLower(g.Resource.Kind))) | ||
} | ||
|
||
g.TemplateBody = crdRoleEditorTemplate | ||
return g.Input, nil | ||
} | ||
|
||
// Validate validates the values | ||
func (g *CRDEditorRole) Validate() error { | ||
return g.Resource.Validate() | ||
} | ||
|
||
const crdRoleEditorTemplate = `# permissions to do edit {{ .Resource.Resource }}. | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRole | ||
metadata: | ||
name: {{ lower .Resource.Kind }}-editor-role | ||
rules: | ||
- apiGroups: | ||
- {{ .Resource.Group }}.{{ .Domain }} | ||
resources: | ||
- {{ .Resource.Resource }} | ||
verbs: | ||
- create | ||
- delete | ||
- get | ||
- list | ||
- patch | ||
- update | ||
- watch | ||
- apiGroups: | ||
- {{ .Resource.Group }}.{{ .Domain }} | ||
resources: | ||
- {{ .Resource.Resource }}/status | ||
verbs: | ||
- get | ||
- patch | ||
- update | ||
` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,73 @@ | ||
/* | ||
Copyright 2018 The Kubernetes Authors. | ||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
http://www.apache.org/licenses/LICENSE-2.0 | ||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
package v2 | ||
|
||
import ( | ||
"fmt" | ||
"path/filepath" | ||
"strings" | ||
|
||
"sigs.k8s.io/kubebuilder/pkg/scaffold/input" | ||
"sigs.k8s.io/kubebuilder/pkg/scaffold/resource" | ||
) | ||
|
||
var _ input.File = &CRDViewerRole{} | ||
|
||
// CRD Viewer role scaffolds the config/rbca/<kind>_viewer_role.yaml | ||
type CRDViewerRole struct { | ||
input.Input | ||
|
||
// Resource is a resource in the API group | ||
Resource *resource.Resource | ||
} | ||
|
||
// GetInput implements input.File | ||
func (g *CRDViewerRole) GetInput() (input.Input, error) { | ||
if g.Path == "" { | ||
g.Path = filepath.Join("config", "rbac", fmt.Sprintf("%s_viewer_role.yaml", strings.ToLower(g.Resource.Kind))) | ||
} | ||
|
||
g.TemplateBody = crdRoleViewerTemplate | ||
return g.Input, nil | ||
} | ||
|
||
// Validate validates the values | ||
func (g *CRDViewerRole) Validate() error { | ||
return g.Resource.Validate() | ||
} | ||
|
||
const crdRoleViewerTemplate = `# permissions to do viewer {{ .Resource.Resource }}. | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRole | ||
metadata: | ||
name: {{ lower .Resource.Kind }}-viewer-role | ||
rules: | ||
- apiGroups: | ||
- {{ .Resource.Group }}.{{ .Domain }} | ||
resources: | ||
- {{ .Resource.Resource }} | ||
verbs: | ||
- get | ||
- list | ||
- watch | ||
- apiGroups: | ||
- {{ .Resource.Group }}.{{ .Domain }} | ||
resources: | ||
- {{ .Resource.Resource }}/status | ||
verbs: | ||
- get | ||
` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
# permissions to do edit admirals. | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRole | ||
metadata: | ||
name: admiral-editor-role | ||
rules: | ||
- apiGroups: | ||
- crew.testproject.org | ||
resources: | ||
- admirals | ||
verbs: | ||
- create | ||
- delete | ||
- get | ||
- list | ||
- patch | ||
- update | ||
- watch | ||
- apiGroups: | ||
- crew.testproject.org | ||
resources: | ||
- admirals/status | ||
verbs: | ||
- get | ||
- patch | ||
- update |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
# permissions to do viewer admirals. | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRole | ||
metadata: | ||
name: admiral-viewer-role | ||
rules: | ||
- apiGroups: | ||
- crew.testproject.org | ||
resources: | ||
- admirals | ||
verbs: | ||
- get | ||
- list | ||
- watch | ||
- apiGroups: | ||
- crew.testproject.org | ||
resources: | ||
- admirals/status | ||
verbs: | ||
- get |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
# permissions to do edit captains. | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRole | ||
metadata: | ||
name: captain-editor-role | ||
rules: | ||
- apiGroups: | ||
- crew.testproject.org | ||
resources: | ||
- captains | ||
verbs: | ||
- create | ||
- delete | ||
- get | ||
- list | ||
- patch | ||
- update | ||
- watch | ||
- apiGroups: | ||
- crew.testproject.org | ||
resources: | ||
- captains/status | ||
verbs: | ||
- get | ||
- patch | ||
- update |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
# permissions to do viewer captains. | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRole | ||
metadata: | ||
name: captain-viewer-role | ||
rules: | ||
- apiGroups: | ||
- crew.testproject.org | ||
resources: | ||
- captains | ||
verbs: | ||
- get | ||
- list | ||
- watch | ||
- apiGroups: | ||
- crew.testproject.org | ||
resources: | ||
- captains/status | ||
verbs: | ||
- get |
26 changes: 26 additions & 0 deletions
26
testdata/project-v2/config/rbac/firstmate_editor_role.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
# permissions to do edit firstmates. | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRole | ||
metadata: | ||
name: firstmate-editor-role | ||
rules: | ||
- apiGroups: | ||
- crew.testproject.org | ||
resources: | ||
- firstmates | ||
verbs: | ||
- create | ||
- delete | ||
- get | ||
- list | ||
- patch | ||
- update | ||
- watch | ||
- apiGroups: | ||
- crew.testproject.org | ||
resources: | ||
- firstmates/status | ||
verbs: | ||
- get | ||
- patch | ||
- update |
20 changes: 20 additions & 0 deletions
20
testdata/project-v2/config/rbac/firstmate_viewer_role.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
# permissions to do viewer firstmates. | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRole | ||
metadata: | ||
name: firstmate-viewer-role | ||
rules: | ||
- apiGroups: | ||
- crew.testproject.org | ||
resources: | ||
- firstmates | ||
verbs: | ||
- get | ||
- list | ||
- watch | ||
- apiGroups: | ||
- crew.testproject.org | ||
resources: | ||
- firstmates/status | ||
verbs: | ||
- get |