Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RFE] Add option to export cluster-scoped RBAC resources #148

Open
dmartinol opened this issue Feb 28, 2023 · 2 comments
Open

[RFE] Add option to export cluster-scoped RBAC resources #148

dmartinol opened this issue Feb 28, 2023 · 2 comments
Assignees
@dmartinol
Labels
kind/feature Categorizes issue or PR as related to a new feature. needs-priority needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.

Comments

@dmartinol
Copy link
Contributor

What is your persona?

I'm an application developer that is designing a POC of an open-source application that integrates crane to export the configuration of an application.

What is your story / use case?

As a user of the crane export command, I want to include all the non-namespaced (e.g. cluster scoped) RBAC resources that are linked to the ServiceAccount defined in the exported namespace(s), so that the generated manifests can be deployed on a new environment with no further manual operations.

Using an optional flag to the crane export command, like --cluster-scoped-rbac (defaulted to "false" to disable the requested feature), at the end of the crane export-transform-apply pipeline, we can generate a complete and consistent set of manifests that can be deployed on any environment without any manual intervention to setup the RBAC aspects.

Do you have a suggestion for implementation?

I would implement this as an optional flag in the crane core module, since the export command does not support the concept of plugin.

Since we want only some of these cluster-scoped resources, we should define somewhere the list of managed types (e.g., ClusterRole, ClusterRoleBinding and, in case of OpenShift cluster, also SecurityContextConstraints) and load them only after all the configured namespaces have been exported, to discard those that are not connected to any of the exported ServiceAccount (maybe a cache can be required to store all of them, or at least their namespace and name pairs).

Once selected, those manifests can be stored in a dedicated folder, with a name that can't match a namespace name, like _cluster.

While the contributors review the issue, I would start developing the feature to validate the proposed solution.
@dmartinol dmartinol added the kind/feature Categorizes issue or PR as related to a new feature. label Feb 28, 2023
@github-actions github-actions bot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Feb 28, 2023
@github-actions
Copy link

This issue is currently awaiting triage.
If contributors determine this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.
The triage/accepted label can be added by org members by writing /triage accepted in a comment.

@dmartinol dmartinol mentioned this issue Feb 28, 2023
Closed
8 tasks
@djzager
Copy link
Contributor

djzager commented Mar 3, 2023

/triage accepted

djzager added a commit that referenced this issue Mar 7, 2023
@dmartinol @djzager
Issue #148: introduce cluster-scoped-rbac (#149)
d14f18b 
* Added cluster=scoped-rbac flag and exporting all these resources in the _cluster folder

* Added ClusterScopeHandler and implemented filtering functions

* Fixed wrong handling of optional flag and set default to false

* typo: Adding SCC when users match

* Moving _clusters under the namespace folder, to have one instance for each exported namespace

* Added admittedResource type to propertly manage resources with same name in differernt groups
Using range instead of reverse loop by index
Reverted use of go 1.18 (removed slices package)

* Update cmd/export/cluster.go

Co-authored-by: David Zager <[email protected]>

* Update cmd/export/cluster.go

Co-authored-by: David Zager <[email protected]>

---------

Co-authored-by: David Zager <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dmartinol dmartinol

Labels
kind/feature Categorizes issue or PR as related to a new feature. needs-priority needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@djzager @dmartinol