Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow overriding rbac permissions in KubernetesClientProcessor #19286

Closed
jmrodri opened this issue Aug 7, 2021 · 6 comments · Fixed by #31797
Closed

Allow overriding rbac permissions in KubernetesClientProcessor #19286

jmrodri opened this issue Aug 7, 2021 · 6 comments · Fixed by #31797
Labels
area/kubernetes kind/enhancement New feature or request
Milestone
3.0.0.Beta1

Comments

@jmrodri
Copy link

jmrodri commented Aug 7, 2021

Description

The rbac generated by the kubernetes-extension only adds the view role. The documentation does mention that you have to manually edit this, but this is less than optimal when you are trying to automate building an operator.

We're currently building a scaffolder to integrate with the Operator Framework Operator SDK and Quarkus. When the user runs mvn install we get incorrect rbac as view is not enough for an Operator. I've looked into adding kustomize but that seems out of place for this project.

So being able to specify the roles we need a more advanced rbac mechanism, here is the sample we generate for the Go sample operators: https://github.com/operator-framework/operator-sdk/tree/master/testdata/go/v3/memcached-operator/config/rbac

Implementation ideas

No response
@jmrodri jmrodri added the kind/enhancement New feature or request label Aug 7, 2021
@quarkus-bot
Copy link

quarkus-bot bot commented Aug 7, 2021

/cc @geoand

@geoand
Copy link
Contributor

geoand commented Aug 7, 2021

cc @iocanel

@geoand
Copy link
Contributor

geoand commented Aug 23, 2021

Can you expand a little on what exactly you would like to see?

@jmrodri
Copy link
Author

jmrodri commented Aug 28, 2021

@geoand @iocanel today only a view role is generated and I don't see any way to customize it to generate different rbac rules. I would want to create something like the sample below without having the user edit it by hand. Are there any annotations or application.properties we could set to allow for a more complex rbac.yaml to be generated?

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  creationTimestamp: null
  name: manager-role
rules:
- apiGroups:
  - apps
  resources:
  - deployments
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - cache.example.com
  resources:
  - memcacheds
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - cache.example.com
  resources:
  - memcacheds/finalizers
  verbs:
  - update
- apiGroups:
  - cache.example.com
  resources:
  - memcacheds/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - watch

@jmrodri
Copy link
Author

jmrodri commented Aug 28, 2021

Or even something I can pass to the mvn command mvn package -D quarkus.rbac.verbs=get,patch,update -D quarkus.rbac.resources.... The other thing I'm considering is post processing the file after the fact.

@geoand
Copy link
Contributor

geoand commented Sep 1, 2021

@iocanel is this something you plan to look into?

Sgitario added a commit to Sgitario/quarkus that referenced this issue Mar 13, 2023
@Sgitario
Fully support generation of K8s RBAC resources
54098bb 
These changes address a long-time issue in regards of K8s RBAC resources (see related issues).

These changes allow to generate custom Roles, ClusterRoles, ServiceAccount, and RoleBindings.
Plus, it allows the Kubernetes Client and Kubernetes Config extensions to configure the role binding to generate. 

Fix quarkusio#16612
Fix quarkusio#19286
Fix quarkusio#15422
@Sgitario Sgitario mentioned this issue Mar 13, 2023
Merged
Sgitario added a commit to Sgitario/quarkus that referenced this issue Mar 14, 2023
@Sgitario
Fully support generation of K8s RBAC resources
3817d18 
These changes address a long-time issue in regards of K8s RBAC resources (see related issues).

These changes allow to generate custom Roles, ClusterRoles, ServiceAccount, and RoleBindings.
Plus, it allows the Kubernetes Client and Kubernetes Config extensions to configure the role binding to generate. 

Fix quarkusio#16612
Fix quarkusio#19286
Fix quarkusio#15422
Sgitario added a commit to Sgitario/quarkus that referenced this issue Mar 15, 2023
@Sgitario
Fully support generation of K8s RBAC resources
d4cae6d 
These changes address a long-time issue in regards of K8s RBAC resources (see related issues).

These changes allow to generate custom Roles, ClusterRoles, ServiceAccount, and RoleBindings.
Plus, it allows the Kubernetes Client and Kubernetes Config extensions to configure the role binding to generate. 

Fix quarkusio#16612
Fix quarkusio#19286
Fix quarkusio#15422
Sgitario added a commit to Sgitario/quarkus that referenced this issue Mar 15, 2023
@Sgitario
Fully support generation of K8s RBAC resources
01ba465 
These changes address a long-time issue in regards of K8s RBAC resources (see related issues).

These changes allow to generate custom Roles, ClusterRoles, ServiceAccount, and RoleBindings.
Plus, it allows the Kubernetes Client and Kubernetes Config extensions to configure the role binding to generate. 

Fix quarkusio#16612
Fix quarkusio#19286
Fix quarkusio#15422
Sgitario added a commit to Sgitario/quarkus that referenced this issue Mar 15, 2023
@Sgitario
Fully support generation of K8s RBAC resources
e253425 
These changes address a long-time issue in regards of K8s RBAC resources (see related issues).

These changes allow to generate custom Roles, ClusterRoles, ServiceAccount, and RoleBindings.
Plus, it allows the Kubernetes Client and Kubernetes Config extensions to configure the role binding to generate. 

Fix quarkusio#16612
Fix quarkusio#19286
Fix quarkusio#15422
Sgitario added a commit to Sgitario/quarkus that referenced this issue Mar 16, 2023
@Sgitario
Fully support generation of K8s RBAC resources
43f80f1 
These changes address a long-time issue in regards of K8s RBAC resources (see related issues).

These changes allow to generate custom Roles, ClusterRoles, ServiceAccount, and RoleBindings.
Plus, it allows the Kubernetes Client and Kubernetes Config extensions to configure the role binding to generate.

Fix quarkusio#16612
Fix quarkusio#19286
Fix quarkusio#15422
Sgitario added a commit to Sgitario/quarkus that referenced this issue Mar 16, 2023
@Sgitario
Fully support generation of K8s RBAC resources
0ad1690 
These changes address a long-time issue in regards of K8s RBAC resources (see related issues).

These changes allow to generate custom Roles, ClusterRoles, ServiceAccount, and RoleBindings.
Plus, it allows the Kubernetes Client and Kubernetes Config extensions to configure the role binding to generate.

Fix quarkusio#16612
Fix quarkusio#19286
Fix quarkusio#15422
Sgitario added a commit to Sgitario/quarkus that referenced this issue Mar 16, 2023
@Sgitario
Fully support generation of K8s RBAC resources
fa406aa 
These changes address a long-time issue in regards of K8s RBAC resources (see related issues).

These changes allow to generate custom Roles, ClusterRoles, ServiceAccount, and RoleBindings.
Plus, it allows the Kubernetes Client and Kubernetes Config extensions to configure the role binding to generate.

Fix quarkusio#16612
Fix quarkusio#19286
Fix quarkusio#15422
Sgitario added a commit to Sgitario/quarkus that referenced this issue Mar 17, 2023
@Sgitario
Fully support generation of K8s RBAC resources
adc7c1d 
These changes address a long-time issue in regards of K8s RBAC resources (see related issues).

These changes allow to generate custom Roles, ClusterRoles, ServiceAccount, and RoleBindings.
Plus, it allows the Kubernetes Client and Kubernetes Config extensions to configure the role binding to generate.

Fix quarkusio#16612
Fix quarkusio#19286
Fix quarkusio#15422
Sgitario added a commit to Sgitario/quarkus that referenced this issue Mar 17, 2023
@Sgitario
Fully support generation of K8s RBAC resources
aea3b57 
These changes address a long-time issue in regards of K8s RBAC resources (see related issues).

These changes allow to generate custom Roles, ClusterRoles, ServiceAccount, and RoleBindings.
Plus, it allows the Kubernetes Client and Kubernetes Config extensions to configure the role binding to generate.

Fix quarkusio#16612
Fix quarkusio#19286
Fix quarkusio#15422
Sgitario added a commit to Sgitario/quarkus that referenced this issue Mar 21, 2023
@Sgitario
Fully support generation of K8s RBAC resources
ea9425b 
These changes address a long-time issue in regards of K8s RBAC resources (see related issues).

These changes allow to generate custom Roles, ClusterRoles, ServiceAccount, and RoleBindings.
Plus, it allows the Kubernetes Client and Kubernetes Config extensions to configure the role binding to generate.

Fix quarkusio#16612
Fix quarkusio#19286
Fix quarkusio#15422
@quarkus-bot quarkus-bot bot added this to the 3.0 - main milestone Mar 21, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/kubernetes kind/enhancement New feature or request
Projects
None yet
Milestone
3.0.0.Beta1
Development

Successfully merging a pull request may close this issue.

Fully support generation of K8s RBAC resources Sgitario/quarkus
2 participants
@jmrodri @geoand