feat(rbac) : add editor and viewer role for crds

pkg/scaffold/api.go

@@ -185,6 +185,8 @@ func (api *API) scaffoldV2() error {
 				Resource: r},
 			&scaffoldv2.Group{Resource: r},
 			&scaffoldv2.CRDSample{Resource: r},
+			&scaffoldv2.CRDEditorRole{Resource: r},
+			&scaffoldv2.CRDViewerRole{Resource: r},
 			&crdv2.EnableWebhookPatch{Resource: r},
 			&crdv2.EnableCAInjectionPatch{Resource: r},
 		}

pkg/scaffold/v2/crd_editor_rbac.go

@@ -0,0 +1,79 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v2
+
+import (
+	"fmt"
+	"path/filepath"
+	"strings"
+
+	"sigs.k8s.io/kubebuilder/pkg/scaffold/input"
+	"sigs.k8s.io/kubebuilder/pkg/scaffold/resource"
+)
+
+var _ input.File = &CRDEditorRole{}
+
+// CRD Editor role scaffolds the config/rbca/<kind>_editor_role.yaml
+type CRDEditorRole struct {
+	input.Input
+
+	// Resource is a resource in the API group
+	Resource *resource.Resource
+}
+
+// GetInput implements input.File
+func (g *CRDEditorRole) GetInput() (input.Input, error) {
+	if g.Path == "" {
+		g.Path = filepath.Join("config", "rbac", fmt.Sprintf("%s_editor_role.yaml", strings.ToLower(g.Resource.Kind)))
+	}
+
+	g.TemplateBody = crdRoleEditorTemplate
+	return g.Input, nil
+}
+
+// Validate validates the values
+func (g *CRDEditorRole) Validate() error {
+	return g.Resource.Validate()
+}
+
+const crdRoleEditorTemplate = `# permissions to do edit {{ .Resource.Resource }}.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ lower .Resource.Kind }}-editor-role
+rules:
+- apiGroups:
+  - {{ .Resource.Group }}.{{ .Domain }}
+  resources:
+  - {{ .Resource.Resource }}
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - {{ .Resource.Group }}.{{ .Domain }}
+  resources:
+  - {{ .Resource.Resource }}/status
+  verbs:
+  - get
+  - patch
+  - update
+`

pkg/scaffold/v2/crd_viewer_rbac.go

@@ -0,0 +1,73 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v2
+
+import (
+	"fmt"
+	"path/filepath"
+	"strings"
+
+	"sigs.k8s.io/kubebuilder/pkg/scaffold/input"
+	"sigs.k8s.io/kubebuilder/pkg/scaffold/resource"
+)
+
+var _ input.File = &CRDViewerRole{}
+
+// CRD Viewer role scaffolds the config/rbca/<kind>_viewer_role.yaml
+type CRDViewerRole struct {
+	input.Input
+
+	// Resource is a resource in the API group
+	Resource *resource.Resource
+}
+
+// GetInput implements input.File
+func (g *CRDViewerRole) GetInput() (input.Input, error) {
+	if g.Path == "" {
+		g.Path = filepath.Join("config", "rbac", fmt.Sprintf("%s_viewer_role.yaml", strings.ToLower(g.Resource.Kind)))
+	}
+
+	g.TemplateBody = crdRoleViewerTemplate
+	return g.Input, nil
+}
+
+// Validate validates the values
+func (g *CRDViewerRole) Validate() error {
+	return g.Resource.Validate()
+}
+
+const crdRoleViewerTemplate = `# permissions to do viewer {{ .Resource.Resource }}.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ lower .Resource.Kind }}-viewer-role
+rules:
+- apiGroups:
+  - {{ .Resource.Group }}.{{ .Domain }}
+  resources:
+  - {{ .Resource.Resource }}
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - {{ .Resource.Group }}.{{ .Domain }}
+  resources:
+  - {{ .Resource.Resource }}/status
+  verbs:
+  - get
+`

test/e2e/v2/e2e_suite.go

@@ -246,6 +246,20 @@ var _ = Describe("kubebuilder", func() {
 				return err
 			}, time.Minute, time.Second).Should(Succeed())
 
+			By("applying CRD Editor Role")
+			crdEditorRole := filepath.Join("config", "rbca", fmt.Sprintf("s_editor_role.yaml", strings.ToLower(kbc.Kind)))
+			Eventually(func() error {
+				_, err = kbc.Kubectl.Apply(true, "-f", crdEditorRole)
+				return err
+			}, time.Minute, time.Second).Should(Succeed())
+
+			By("applying CRD Viewer Role")
+			crdViewerRole := filepath.Join("config", "rbca", fmt.Sprintf("s_viewer_role.yaml", strings.ToLower(kbc.Kind)))
+			Eventually(func() error {
+				_, err = kbc.Kubectl.Apply(true, "-f", crdViewerRole)
+				return err
+			}, time.Minute, time.Second).Should(Succeed())
+
 			By("validate the created resource object gets reconciled in controller")
 			managerContainerLogs := func() string {
 				logOutput, err := kbc.Kubectl.Logs(controllerPodName, "-c", "manager")

testdata/project-v2/config/rbac/admiral_editor_role.yaml

@@ -0,0 +1,26 @@
+# permissions to do edit admirals.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: admiral-editor-role
+rules:
+- apiGroups:
+  - crew.testproject.org
+  resources:
+  - admirals
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - crew.testproject.org
+  resources:
+  - admirals/status
+  verbs:
+  - get
+  - patch
+  - update

testdata/project-v2/config/rbac/admiral_viewer_role.yaml

@@ -0,0 +1,20 @@
+# permissions to do viewer admirals.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: admiral-viewer-role
+rules:
+- apiGroups:
+  - crew.testproject.org
+  resources:
+  - admirals
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - crew.testproject.org
+  resources:
+  - admirals/status
+  verbs:
+  - get

testdata/project-v2/config/rbac/captain_editor_role.yaml

@@ -0,0 +1,26 @@
+# permissions to do edit captains.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: captain-editor-role
+rules:
+- apiGroups:
+  - crew.testproject.org
+  resources:
+  - captains
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - crew.testproject.org
+  resources:
+  - captains/status
+  verbs:
+  - get
+  - patch
+  - update

testdata/project-v2/config/rbac/captain_viewer_role.yaml

@@ -0,0 +1,20 @@
+# permissions to do viewer captains.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: captain-viewer-role
+rules:
+- apiGroups:
+  - crew.testproject.org
+  resources:
+  - captains
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - crew.testproject.org
+  resources:
+  - captains/status
+  verbs:
+  - get

testdata/project-v2/config/rbac/firstmate_editor_role.yaml

@@ -0,0 +1,26 @@
+# permissions to do edit firstmates.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: firstmate-editor-role
+rules:
+- apiGroups:
+  - crew.testproject.org
+  resources:
+  - firstmates
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - crew.testproject.org
+  resources:
+  - firstmates/status
+  verbs:
+  - get
+  - patch
+  - update

testdata/project-v2/config/rbac/firstmate_viewer_role.yaml

@@ -0,0 +1,20 @@
+# permissions to do viewer firstmates.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: firstmate-viewer-role
+rules:
+- apiGroups:
+  - crew.testproject.org
+  resources:
+  - firstmates
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - crew.testproject.org
+  resources:
+  - firstmates/status
+  verbs:
+  - get