From f05cc9a641a063e703c164fdb7ea0da417b87edc Mon Sep 17 00:00:00 2001 From: David Grove Date: Thu, 31 Oct 2024 12:01:51 -0400 Subject: [PATCH] Add labels to aggregate appwrapper editor/viewer role RBACs --- config/default/editor_role_patch.yaml | 7 +++++++ config/default/kustomization.yaml | 4 ++++ config/default/viewer_role_patch.yaml | 6 ++++++ .../rbac/{appwrapper_editor_role.yaml => editor_role.yaml} | 2 +- config/rbac/kustomization.yaml | 2 ++ .../rbac/{appwrapper_viewer_role.yaml => viewer_role.yaml} | 2 +- 6 files changed, 21 insertions(+), 2 deletions(-) create mode 100644 config/default/editor_role_patch.yaml create mode 100644 config/default/viewer_role_patch.yaml rename config/rbac/{appwrapper_editor_role.yaml => editor_role.yaml} (95%) rename config/rbac/{appwrapper_viewer_role.yaml => viewer_role.yaml} (95%) diff --git a/config/default/editor_role_patch.yaml b/config/default/editor_role_patch.yaml new file mode 100644 index 00000000..881023d3 --- /dev/null +++ b/config/default/editor_role_patch.yaml @@ -0,0 +1,7 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: editor-role + labels: + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-admin: "true" diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index 4326f887..2fee1589 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -35,3 +35,7 @@ patches: # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in # crd/kustomization.yaml - path: manager_webhook_patch.yaml + +# Add aggregate labels to rbacs +- path: editor_role_patch.yaml +- path: viewer_role_patch.yaml diff --git a/config/default/viewer_role_patch.yaml b/config/default/viewer_role_patch.yaml new file mode 100644 index 00000000..a6f71fb7 --- /dev/null +++ b/config/default/viewer_role_patch.yaml @@ -0,0 +1,6 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: viewer-role + labels: + rbac.authorization.k8s.io/aggregate-to-view: "true" diff --git a/config/rbac/appwrapper_editor_role.yaml b/config/rbac/editor_role.yaml similarity index 95% rename from config/rbac/appwrapper_editor_role.yaml rename to config/rbac/editor_role.yaml index 391a4a28..05e49629 100644 --- a/config/rbac/appwrapper_editor_role.yaml +++ b/config/rbac/editor_role.yaml @@ -9,7 +9,7 @@ metadata: app.kubernetes.io/created-by: appwrapper app.kubernetes.io/part-of: appwrapper app.kubernetes.io/managed-by: kustomize - name: appwrapper-editor-role + name: editor-role rules: - apiGroups: - workload.codeflare.dev diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml index 0e99f848..12187025 100644 --- a/config/rbac/kustomization.yaml +++ b/config/rbac/kustomization.yaml @@ -10,6 +10,8 @@ resources: - leader_election_role.yaml - leader_election_role_binding.yaml - user_role.yaml +- editor_role.yaml +- viewer_role.yaml # Comment the following 4 lines if you want to disable # the auth proxy (https://github.com/brancz/kube-rbac-proxy) # which protects your /metrics endpoint. diff --git a/config/rbac/appwrapper_viewer_role.yaml b/config/rbac/viewer_role.yaml similarity index 95% rename from config/rbac/appwrapper_viewer_role.yaml rename to config/rbac/viewer_role.yaml index 924a44c3..527b9280 100644 --- a/config/rbac/appwrapper_viewer_role.yaml +++ b/config/rbac/viewer_role.yaml @@ -9,7 +9,7 @@ metadata: app.kubernetes.io/created-by: appwrapper app.kubernetes.io/part-of: appwrapper app.kubernetes.io/managed-by: kustomize - name: appwrapper-viewer-role + name: viewer-role rules: - apiGroups: - workload.codeflare.dev