lots of changes to k8s examples and readme to ensure that both contro…

…ller and job pattern work as expected

README.md

@@ -49,12 +49,12 @@ As you might expect, this will run in your current Kubernetes context. If you do
 
 ### As a Kubernetes Job
 
-Also quite straightforward, you can apply the YAML from the `example/k8s` directory of this repository to run RBAC Manager within your cluster. In this case, you'll want to add you're RBAC Manager configuration in the ConfigMap (`example/k8s/2-config.yaml`).
+Also quite straightforward, you can apply the YAML from the `example/k8s/job` directory of this repository to run RBAC Manager within your cluster. In this case, you'll want to add you're RBAC Manager configuration in the ConfigMap (`example/k8s/controller/02-configmap.yaml`).
 
 Once the ConfigMap represents the RBAC state you want to achieve, you can run the job with a simple command:
 
 ```
-kubectl apply -f example/k8s
+kubectl apply -f example/k8s/controller
 ```
 
 Once the job has completed, you can clean things up by removing the namespace it creates with this command:
@@ -65,28 +65,17 @@ kubectl delete namespace rbac-manager
 
 ### As a Kubernetes Controller
 
-RBAC Manager can also be run as a controler and uses Custom Resources to store the yaml file from above. To create the controller:
+RBAC Manager can also be run as a controler using custom resources to store this format of RBAC configuration. These custom resources are `rbacdefinitions`. The RBAC Manager controller listens for `rbacdefinition` updates, and will automatically make the requested changes when a `rbacdefinition` is created or updated.
+
+Sample Kubernetes configuration for this pattern is available in `example/k8s/controller`. You can run this example in your cluster with this command:
+
 ```
-# Create the namespace
-kubectl apply -f example/k8s/00-namespaces.yaml
-# Create the serviceAccount and roleBinding for rbac_manager
-kubectl apply -f example/k8s/01-rbac.yaml
-# Create the customResourceDefinition
-kubectl apply -f example/k8s/05-customresourcedefinition.yaml
-# Create the controller
-kubectl apply -f example/k8s/07-controller.yaml
+kubectl apply -f example/k8s/controller
 ```
 
-Once the `customResourceDefinition` is applied, you can create the resource that defines the RBAC `users`/`serviceAccounts`, the `role`s, and the `roleBinding`s. Use `kubectl apply -f example/k8s/06/customresource.yaml` as and example.
-
 ### As part of a CI Workflow
 
-Ideally RBAC manager will be used in a CI workflow. In addition to our standard Docker images, we provide a secondary image  with each release that includes some helpful dependencies for continuous integration. There is a working example of what this could look like in `examples/ci`.
-
-
-## Future Plans
-
-We're very interested in implementing this with a Kubernetes operator pattern. Instead of a single update task, this operator would run on each cluster and listen for changes to custom configuration resources.
+Ideally RBAC manager will be used in a CI workflow. In addition to our standard Docker images, we provide a secondary image with each release that includes some helpful dependencies for continuous integration. There is a working example of what this could look like in `examples/ci`.
 
 ## License
 Apache License 2.0

examples/k8s/01-rbac.yaml → examples/k8s/controller/01-rbac.yaml

@@ -10,24 +10,20 @@ metadata:
   name: rbac-manager
 rules:
   - apiGroups:
-      - rbac.authorization.k8s.io
+      - rbacmanager.k8s.io
     resources:
-      - clusterrolebindings
-      - rolebindings
+      - rbacdefinitions
     verbs:
-      - create
-      - delete
       - get
       - list
-      - patch
-      - update
+      - watch
   - apiGroups:
-      - rbacmanager.k8s.io
+      - rbac.authorization.k8s.io
+      - authorization.k8s.io
     resources:
-      - rbacdefinitions
+      - '*'
     verbs:
-      - get
-      - list
+      - '*'
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding

examples/k8s/controller/03-rbacdefinition.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: rbacmanager.k8s.io/v1
+kind: RBACDefinition
+metadata:
+  name: rbac-manager-config
+  namespace: rbac-manager
+data:
+  rbac: |-
+    - user: [email protected]
+      clusterRoleBindings:
+        - clusterRole: cluster-admin
+    - user: [email protected]
+      clusterRoleBindings:
+        - clusterRole: edit
+      roleBindings:
+        - clusterRole: cluster-admin
+          namespace: default

examples/k8s/07-controller.yaml → examples/k8s/controller/04-controller.yaml

@@ -16,6 +16,6 @@ spec:
     spec:
       serviceAccountName: rbac-manager
       containers:
-        image: quay.io/reactiveops/rbac-manager:latest
-        name: rbac-manager
-        
+        - name: rbac-manager
+          image: quay.io/reactiveops/rbac-manager:latest
+

examples/k8s/job/00-namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: rbac-manager

examples/k8s/job/01-rbac.yaml

@@ -0,0 +1,31 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: rbac-manager
+  namespace: rbac-manager
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: rbac-manager
+rules:
+  - apiGroups:
+      - rbac.authorization.k8s.io
+      - authorization.k8s.io
+    resources:
+      - '*'
+    verbs:
+      - '*'
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: rbac-manager
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: rbac-manager
+subjects:
+  - kind: ServiceAccount
+    name: rbac-manager
+    namespace: rbac-manager

examples/k8s/job/02-configmap.yaml

@@ -0,0 +1,17 @@
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: rbac-manager-config
+  namespace: rbac-manager
+data:
+  rbac.yaml: |-
+    - user: [email protected]
+      clusterRoleBindings:
+        - clusterRole: cluster-admin
+    - user: [email protected]
+      clusterRoleBindings:
+        - clusterRole: edit
+      roleBindings:
+        - clusterRole: cluster-admin
+          namespace: default

examples/k8s/04-job.yaml → examples/k8s/job/03-job.yaml

@@ -1,26 +1,25 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: rbac-manager-2
+  name: rbac-manager
   namespace: rbac-manager
 spec:
-  backoffLimit: 1
+  backoffLimit: 0
   template:
     spec:
       restartPolicy: Never
       serviceAccountName: rbac-manager
       containers:
         - name: rbac-manager
-          image: quay.io/robertjscott/rbac-manager:0.1.3
+          image: quay.io/reactiveops/rbac-manager:latest
           command:
-            - python 
-            - manage-rbac.py 
-            - --config 
+            - python
+            - manage_rbac.py
+            - --config
             - config/rbac.yaml
           volumeMounts:
           - name: rbac-manager-config
             mountPath: /rbac-manager/config
-
       volumes:
         - name: rbac-manager-config
           configMap:

manage_rbac.py

@@ -10,7 +10,7 @@
 from kubernetes.client.rest import ApiException
 
 
-logging.basicConfig(level=logging.DEBUG, format='%(levelname)s: %(message)s')
+logging.basicConfig(level=logging.INFO, format='%(levelname)s: %(message)s')
 logger = logging.getLogger(__name__)