Skip to content

Enhance RBAC Scaffolding to Include admin Roles #4294

New issue
New issue
Closed
Closed
Enhance RBAC Scaffolding to Include admin Roles#4294
Assignees
damsien
Labels
good first issueDenotes an issue ready for a new contributor, according to the "help wanted" guidelines.help wantedDenotes an issue that needs help from a contributor. Must meet "help wanted" guidelines.kind/featureCategorizes issue or PR as related to a new feature.
@camilamacedo86

Description

@camilamacedo86
camilamacedo86
opened on Nov 5, 2024

What do you want to happen?

In the current Kubebuilder scaffolding, only edit and view RBAC roles are generated for new projects. Example of current RBAC scaffolding: Kubebuilder RBAC configuration

While these roles cover essential permissions for non-administrative users, the absence of an admin role and aggregated role annotations limits flexibility for administrators who need comprehensive access controls.

This issue proposes:

  1. Adding an admin ClusterRole: This role would allow full control over all specified resources, making it easier for project admins to manage resources and delegate permissions.

So what to do here?

  1. Create a new code implementation like: crd_editor_role.go, but which will scaffold the rule with * instead of specific permissions to allow the admin to have full access (essentially updating RBAC).
  2. Add a comment on top of each rule to clarify its intention, rather than simply stating, for example, # permissions for end users to edit {{ .Resource.Kind }}.

YAML Template

  • View:
  # This rule is not used by the project {{ .Project.Name }} itself.
  # It is provided to allow the cluster admin to help manage permissions for users.
  #
  # Grants read-only access to {{ .Resource.Kind }} resources. 
  # This role is intended for users who need visibility into the resources 
  # without any permissions to modify them. It’s ideal for monitoring purposes and limited-access viewing.
  • Edit
# This rule is not used by the project {{ .Project.Name }} itself.
# It is provided to allow the cluster admin to help manage permissions for users.
#
# Allows users to modify all custom resources for {{ .Project.Name }} on the cluster.
# This role enables users to create, update, and delete resources,
# making it suitable for team members who need to manage resources 
# but should not control RBAC or manage permissions for others.
  • Admin
# This rule is not used by the project {{ .Project.Name }} itself.
# It is provided to allow the cluster admin to help manage permissions for users.
#
# Provides full permissions (create, update, delete) over all custom resource objects 
# for the specified API resources across the cluster. In addition to resource management, 
# it grants users the ability to modify roles and bindings within the cluster, 
# allowing them to delegate specific permissions to other users or groups as needed.

Metadata

Metadata

Assignees

Labels

good first issueDenotes an issue ready for a new contributor, according to the "help wanted" guidelines.help wantedDenotes an issue that needs help from a contributor. Must meet "help wanted" guidelines.kind/featureCategorizes issue or PR as related to a new feature.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions