Add metadata flags for name, namespace and annotations

[paulbarfuss]

What would you like to be added:

Add flags to customize:

• Metadata.Name
• Metadata.Namespace
• Metadata.Annotations

Why is this needed:

For the rbac-tool gen and rbac-tool show commands it would be useful for automation to be able to customize the object metadata during role generation.

For example:

# Generate a ClusterRole with all the available permissions for core and apps api groups
rbac-tool show \
  --for-groups=,apps \
  --scope namespace \
  --name foo \
  --namespace bar \
  --annotations argocd.argoproj.io/sync-wave=2,rbac.authorization.kubernetes.io/autoupdate=true

With these flags it would be possible to generate fully functional roles without having to make modifications to the YAML after running the tool.

[gadinaor]

@paulbarfuss - HNY and thanks for the above - few questions/comments:

• gen command was intended to be used in automation pipeline and the proposed changes looks fine. I would just keep the existing values (for name and namespace) as the default for the cli options you've added.

• show originally intended to be something that help a user to better understand the overall cluster permissions and the underlying aspects (verbs, kind, resources, ...) of those permissions. How do you see show command used in a automations workflow?

[paulbarfuss]

HNY to you as well @gadinaor

Thank you for having a look! I am going to remove the merge logic on the show command as that should be a separate GH issue and may circle back to that at a later date.

The short answer is that I was looking for a way to manage RBAC like rbac-tool gen that includes the ability to fine tune access to subresources.

I will update the name/namespace to match the existing values as well on the open PR as there is some good value in those changes, as long as they don't modify existing behavior with the default values.

[diesello]

Hi @paulbarfuss

Dud you have a chance to look into it and update the code?

[paulbarfuss]

Hi @gadinaor

I have updated the PR to better maintain the original intent and functionality of the gen and show commands.

The original thought around using show to generate RBAC is to leverage the generateRulesWithSubResources function in case a user wanted to define sub-resources. I dropped that added function from the new PR and only included the metadata flags as this would be very useful without introducing any breaking changes, or changing the current default values.

[gadinaor-r7]

Available in v1.18.0