Enhance RBAC Scaffolding to Include admin Roles

[camilamacedo86]

What do you want to happen?

In the current Kubebuilder scaffolding, only edit and view RBAC roles are generated for new projects. Example of current RBAC scaffolding: Kubebuilder RBAC configuration

While these roles cover essential permissions for non-administrative users, the absence of an admin role and aggregated role annotations limits flexibility for administrators who need comprehensive access controls.

This issue proposes:

1. Adding an admin ClusterRole: This role would allow full control over all specified resources, making it easier for project admins to manage resources and delegate permissions.

So what to do here?

1. Create a new code implementation like: crd_editor_role.go, but which will scaffold the rule with * instead of specific permissions to allow the admin to have full access (essentially updating RBAC).
2. Add a comment on top of each rule to clarify its intention, rather than simply stating, for example, # permissions for end users to edit {{ .Resource.Kind }}.

YAML Template

• View:

  # This rule is not used by the project {{ .Project.Name }} itself.
  # It is provided to allow the cluster admin to help manage permissions for users.
  #
  # Grants read-only access to {{ .Resource.Kind }} resources. 
  # This role is intended for users who need visibility into the resources 
  # without any permissions to modify them. It’s ideal for monitoring purposes and limited-access viewing.

• Edit

# This rule is not used by the project {{ .Project.Name }} itself.
# It is provided to allow the cluster admin to help manage permissions for users.
#
# Allows users to modify all custom resources for {{ .Project.Name }} on the cluster.
# This role enables users to create, update, and delete resources,
# making it suitable for team members who need to manage resources 
# but should not control RBAC or manage permissions for others.

• Admin

# This rule is not used by the project {{ .Project.Name }} itself.
# It is provided to allow the cluster admin to help manage permissions for users.
#
# Provides full permissions (create, update, delete) over all custom resource objects 
# for the specified API resources across the cluster. In addition to resource management, 
# it grants users the ability to modify roles and bindings within the cluster, 
# allowing them to delegate specific permissions to other users or groups as needed.

[damsien]

Hey, I would like to take this issue !

[damsien]

/assign

[camilamacedo86]

Hi @damsien please, see that after further discussions I updated the description of this issue we should NOT scaffold the rules with rbac.authorization.k8s.io/aggregate-to-admin: "true", rbac.authorization.k8s.io/aggregate-to-edit: "true", and rbac.authorization.k8s.io/aggregate-to-view: "true"` since that would create bindings by default on the cluster. Let's the cluster admin decide how to use or not them.

[damsien]

Okay thank you for letting me know!