diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/cronjob_admin_role.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/cronjob_admin_role.yaml new file mode 100644 index 00000000000..234d656da08 --- /dev/null +++ b/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/cronjob_admin_role.yaml @@ -0,0 +1,27 @@ +# This rule is not used by the project project itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants full permissions ('*') over batch.tutorial.kubebuilder.io. +# This role is intended for users authorized to modify roles and bindings within the cluster, +# enabling them to delegate specific permissions to other users or groups as needed. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: project + app.kubernetes.io/managed-by: kustomize + name: cronjob-admin-role +rules: +- apiGroups: + - batch.tutorial.kubebuilder.io + resources: + - cronjobs + verbs: + - '*' +- apiGroups: + - batch.tutorial.kubebuilder.io + resources: + - cronjobs/status + verbs: + - get diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/cronjob_editor_role.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/cronjob_editor_role.yaml index c36d86e55d6..f0ccbbe8662 100644 --- a/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/cronjob_editor_role.yaml +++ b/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/cronjob_editor_role.yaml @@ -1,4 +1,10 @@ -# permissions for end users to edit cronjobs. +# This rule is not used by the project project itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants permissions to create, update, and delete resources within the batch.tutorial.kubebuilder.io. +# This role is intended for users who need to manage these resources +# but should not control RBAC or manage permissions for others. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/cronjob_viewer_role.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/cronjob_viewer_role.yaml index 0bfb9809718..d8200790df3 100644 --- a/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/cronjob_viewer_role.yaml +++ b/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/cronjob_viewer_role.yaml @@ -1,4 +1,10 @@ -# permissions for end users to view cronjobs. +# This rule is not used by the project project itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants read-only access to batch.tutorial.kubebuilder.io resources. +# This role is intended for users who need visibility into these resources +# without permissions to modify them. It is ideal for monitoring purposes and limited-access viewing. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/kustomization.yaml b/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/kustomization.yaml index 39fe987357a..53466ccd0ac 100644 --- a/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/kustomization.yaml +++ b/docs/book/src/cronjob-tutorial/testdata/project/config/rbac/kustomization.yaml @@ -18,10 +18,11 @@ resources: - metrics_auth_role.yaml - metrics_auth_role_binding.yaml - metrics_reader_role.yaml -# For each CRD, "Editor" and "Viewer" roles are scaffolded by +# For each CRD, "Admin", "Editor" and "Viewer" roles are scaffolded by # default, aiding admins in cluster management. Those roles are -# not used by the Project itself. You can comment the following lines +# not used by the {{ .ProjectName }} itself. You can comment the following lines # if you do not want those helpers be installed with your Project. +- cronjob_admin_role.yaml - cronjob_editor_role.yaml - cronjob_viewer_role.yaml diff --git a/docs/book/src/cronjob-tutorial/testdata/project/dist/install.yaml b/docs/book/src/cronjob-tutorial/testdata/project/dist/install.yaml index 2cb67e5e885..888858829a1 100644 --- a/docs/book/src/cronjob-tutorial/testdata/project/dist/install.yaml +++ b/docs/book/src/cronjob-tutorial/testdata/project/dist/install.yaml @@ -3865,6 +3865,27 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: project + name: project-cronjob-admin-role +rules: +- apiGroups: + - batch.tutorial.kubebuilder.io + resources: + - cronjobs + verbs: + - '*' +- apiGroups: + - batch.tutorial.kubebuilder.io + resources: + - cronjobs/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: labels: app.kubernetes.io/managed-by: kustomize diff --git a/docs/book/src/getting-started/testdata/project/config/rbac/kustomization.yaml b/docs/book/src/getting-started/testdata/project/config/rbac/kustomization.yaml index 603bdba9fb5..d8975bd4b46 100644 --- a/docs/book/src/getting-started/testdata/project/config/rbac/kustomization.yaml +++ b/docs/book/src/getting-started/testdata/project/config/rbac/kustomization.yaml @@ -18,10 +18,11 @@ resources: - metrics_auth_role.yaml - metrics_auth_role_binding.yaml - metrics_reader_role.yaml -# For each CRD, "Editor" and "Viewer" roles are scaffolded by +# For each CRD, "Admin", "Editor" and "Viewer" roles are scaffolded by # default, aiding admins in cluster management. Those roles are -# not used by the Project itself. You can comment the following lines +# not used by the {{ .ProjectName }} itself. You can comment the following lines # if you do not want those helpers be installed with your Project. +- memcached_admin_role.yaml - memcached_editor_role.yaml - memcached_viewer_role.yaml diff --git a/docs/book/src/getting-started/testdata/project/config/rbac/memcached_admin_role.yaml b/docs/book/src/getting-started/testdata/project/config/rbac/memcached_admin_role.yaml new file mode 100644 index 00000000000..f42561d75b9 --- /dev/null +++ b/docs/book/src/getting-started/testdata/project/config/rbac/memcached_admin_role.yaml @@ -0,0 +1,27 @@ +# This rule is not used by the project project itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants full permissions ('*') over cache.example.com. +# This role is intended for users authorized to modify roles and bindings within the cluster, +# enabling them to delegate specific permissions to other users or groups as needed. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: project + app.kubernetes.io/managed-by: kustomize + name: memcached-admin-role +rules: +- apiGroups: + - cache.example.com + resources: + - memcacheds + verbs: + - '*' +- apiGroups: + - cache.example.com + resources: + - memcacheds/status + verbs: + - get diff --git a/docs/book/src/getting-started/testdata/project/config/rbac/memcached_editor_role.yaml b/docs/book/src/getting-started/testdata/project/config/rbac/memcached_editor_role.yaml index 03058d077d2..a3542f23263 100644 --- a/docs/book/src/getting-started/testdata/project/config/rbac/memcached_editor_role.yaml +++ b/docs/book/src/getting-started/testdata/project/config/rbac/memcached_editor_role.yaml @@ -1,4 +1,10 @@ -# permissions for end users to edit memcacheds. +# This rule is not used by the project project itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants permissions to create, update, and delete resources within the cache.example.com. +# This role is intended for users who need to manage these resources +# but should not control RBAC or manage permissions for others. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/docs/book/src/getting-started/testdata/project/config/rbac/memcached_viewer_role.yaml b/docs/book/src/getting-started/testdata/project/config/rbac/memcached_viewer_role.yaml index 8ec26d3ffd5..079cb76a538 100644 --- a/docs/book/src/getting-started/testdata/project/config/rbac/memcached_viewer_role.yaml +++ b/docs/book/src/getting-started/testdata/project/config/rbac/memcached_viewer_role.yaml @@ -1,4 +1,10 @@ -# permissions for end users to view memcacheds. +# This rule is not used by the project project itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants read-only access to cache.example.com resources. +# This role is intended for users who need visibility into these resources +# without permissions to modify them. It is ideal for monitoring purposes and limited-access viewing. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/docs/book/src/getting-started/testdata/project/dist/install.yaml b/docs/book/src/getting-started/testdata/project/dist/install.yaml index b53b8dbdccf..5e0bb83ffcb 100644 --- a/docs/book/src/getting-started/testdata/project/dist/install.yaml +++ b/docs/book/src/getting-started/testdata/project/dist/install.yaml @@ -234,6 +234,27 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: project + name: project-memcached-admin-role +rules: +- apiGroups: + - cache.example.com + resources: + - memcacheds + verbs: + - '*' +- apiGroups: + - cache.example.com + resources: + - memcacheds/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: labels: app.kubernetes.io/managed-by: kustomize diff --git a/docs/book/src/multiversion-tutorial/testdata/project/config/rbac/cronjob_admin_role.yaml b/docs/book/src/multiversion-tutorial/testdata/project/config/rbac/cronjob_admin_role.yaml new file mode 100644 index 00000000000..234d656da08 --- /dev/null +++ b/docs/book/src/multiversion-tutorial/testdata/project/config/rbac/cronjob_admin_role.yaml @@ -0,0 +1,27 @@ +# This rule is not used by the project project itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants full permissions ('*') over batch.tutorial.kubebuilder.io. +# This role is intended for users authorized to modify roles and bindings within the cluster, +# enabling them to delegate specific permissions to other users or groups as needed. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: project + app.kubernetes.io/managed-by: kustomize + name: cronjob-admin-role +rules: +- apiGroups: + - batch.tutorial.kubebuilder.io + resources: + - cronjobs + verbs: + - '*' +- apiGroups: + - batch.tutorial.kubebuilder.io + resources: + - cronjobs/status + verbs: + - get diff --git a/docs/book/src/multiversion-tutorial/testdata/project/config/rbac/cronjob_editor_role.yaml b/docs/book/src/multiversion-tutorial/testdata/project/config/rbac/cronjob_editor_role.yaml index c36d86e55d6..f0ccbbe8662 100644 --- a/docs/book/src/multiversion-tutorial/testdata/project/config/rbac/cronjob_editor_role.yaml +++ b/docs/book/src/multiversion-tutorial/testdata/project/config/rbac/cronjob_editor_role.yaml @@ -1,4 +1,10 @@ -# permissions for end users to edit cronjobs. +# This rule is not used by the project project itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants permissions to create, update, and delete resources within the batch.tutorial.kubebuilder.io. +# This role is intended for users who need to manage these resources +# but should not control RBAC or manage permissions for others. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/docs/book/src/multiversion-tutorial/testdata/project/config/rbac/cronjob_viewer_role.yaml b/docs/book/src/multiversion-tutorial/testdata/project/config/rbac/cronjob_viewer_role.yaml index 0bfb9809718..d8200790df3 100644 --- a/docs/book/src/multiversion-tutorial/testdata/project/config/rbac/cronjob_viewer_role.yaml +++ b/docs/book/src/multiversion-tutorial/testdata/project/config/rbac/cronjob_viewer_role.yaml @@ -1,4 +1,10 @@ -# permissions for end users to view cronjobs. +# This rule is not used by the project project itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants read-only access to batch.tutorial.kubebuilder.io resources. +# This role is intended for users who need visibility into these resources +# without permissions to modify them. It is ideal for monitoring purposes and limited-access viewing. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/docs/book/src/multiversion-tutorial/testdata/project/config/rbac/kustomization.yaml b/docs/book/src/multiversion-tutorial/testdata/project/config/rbac/kustomization.yaml index 39fe987357a..53466ccd0ac 100644 --- a/docs/book/src/multiversion-tutorial/testdata/project/config/rbac/kustomization.yaml +++ b/docs/book/src/multiversion-tutorial/testdata/project/config/rbac/kustomization.yaml @@ -18,10 +18,11 @@ resources: - metrics_auth_role.yaml - metrics_auth_role_binding.yaml - metrics_reader_role.yaml -# For each CRD, "Editor" and "Viewer" roles are scaffolded by +# For each CRD, "Admin", "Editor" and "Viewer" roles are scaffolded by # default, aiding admins in cluster management. Those roles are -# not used by the Project itself. You can comment the following lines +# not used by the {{ .ProjectName }} itself. You can comment the following lines # if you do not want those helpers be installed with your Project. +- cronjob_admin_role.yaml - cronjob_editor_role.yaml - cronjob_viewer_role.yaml diff --git a/docs/book/src/multiversion-tutorial/testdata/project/dist/install.yaml b/docs/book/src/multiversion-tutorial/testdata/project/dist/install.yaml index 1d348e3fa47..adba5b0cae5 100644 --- a/docs/book/src/multiversion-tutorial/testdata/project/dist/install.yaml +++ b/docs/book/src/multiversion-tutorial/testdata/project/dist/install.yaml @@ -7676,6 +7676,27 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: project + name: project-cronjob-admin-role +rules: +- apiGroups: + - batch.tutorial.kubebuilder.io + resources: + - cronjobs + verbs: + - '*' +- apiGroups: + - batch.tutorial.kubebuilder.io + resources: + - cronjobs/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: labels: app.kubernetes.io/managed-by: kustomize diff --git a/pkg/plugins/common/kustomize/v2/scaffolds/api.go b/pkg/plugins/common/kustomize/v2/scaffolds/api.go index a5b82a3ca53..77eccd42bbc 100644 --- a/pkg/plugins/common/kustomize/v2/scaffolds/api.go +++ b/pkg/plugins/common/kustomize/v2/scaffolds/api.go @@ -75,6 +75,7 @@ func (s *apiScaffolder) Scaffold() error { if s.resource.HasAPI() { if err := scaffold.Execute( &samples.CRDSample{Force: s.force}, + &rbac.CRDAdminRole{}, &rbac.CRDEditorRole{}, &rbac.CRDViewerRole{}, &crd.Kustomization{}, @@ -100,22 +101,22 @@ func (s *apiScaffolder) Scaffold() error { } } - // Add scaffolded CRD Editor and Viewer roles in config/rbac/kustomization.yaml + // Add scaffolded CRD Admin, Editor and Viewer roles in config/rbac/kustomization.yaml rbacKustomizeFilePath := "config/rbac/kustomization.yaml" err = pluginutil.AppendCodeIfNotExist(rbacKustomizeFilePath, - editViewRulesCommentFragment) + adminEditViewRulesCommentFragment) if err != nil { - log.Errorf("Unable to append the edit/view roles comment in the file "+ + log.Errorf("Unable to append the admin/edit/view roles comment in the file "+ "%s.", rbacKustomizeFilePath) } crdName := strings.ToLower(s.resource.Kind) if s.config.IsMultiGroup() && s.resource.Group != "" { crdName = strings.ToLower(s.resource.Group) + "_" + crdName } - err = pluginutil.InsertCodeIfNotExist(rbacKustomizeFilePath, editViewRulesCommentFragment, - fmt.Sprintf("\n- %[1]s_editor_role.yaml\n- %[1]s_viewer_role.yaml", crdName)) + err = pluginutil.InsertCodeIfNotExist(rbacKustomizeFilePath, adminEditViewRulesCommentFragment, + fmt.Sprintf("\n- %[1]s_admin_role.yaml\n- %[1]s_editor_role.yaml\n- %[1]s_viewer_role.yaml", crdName)) if err != nil { - log.Errorf("Unable to add Editor and Viewer roles in the file "+ + log.Errorf("Unable to add Admin, Editor and Viewer roles in the file "+ "%s.", rbacKustomizeFilePath) } // Add an empty line at the end of the file @@ -132,7 +133,7 @@ func (s *apiScaffolder) Scaffold() error { return nil } -const editViewRulesCommentFragment = `# For each CRD, "Editor" and "Viewer" roles are scaffolded by +const adminEditViewRulesCommentFragment = `# For each CRD, "Admin", "Editor" and "Viewer" roles are scaffolded by # default, aiding admins in cluster management. Those roles are -# not used by the Project itself. You can comment the following lines +# not used by the {{ .ProjectName }} itself. You can comment the following lines # if you do not want those helpers be installed with your Project.` diff --git a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/crd_admin_role.go b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/crd_admin_role.go new file mode 100644 index 00000000000..be92c896f2f --- /dev/null +++ b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/crd_admin_role.go @@ -0,0 +1,95 @@ +/* +Copyright 2024 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +//nolint:dupl +package rbac + +import ( + "fmt" + "path/filepath" + "strings" + + "sigs.k8s.io/kubebuilder/v4/pkg/machinery" +) + +var _ machinery.Template = &CRDAdminRole{} + +// CRDAdminRole scaffolds a file that defines the role that allows full control over plurals +type CRDAdminRole struct { + machinery.TemplateMixin + machinery.MultiGroupMixin + machinery.ResourceMixin + machinery.ProjectNameMixin + + RoleName string +} + +// SetTemplateDefaults implements file.Template +func (f *CRDAdminRole) SetTemplateDefaults() error { + if f.Path == "" { + if f.MultiGroup && f.Resource.Group != "" { + f.Path = filepath.Join("config", "rbac", "%[group]_%[kind]_admin_role.yaml") + } else { + f.Path = filepath.Join("config", "rbac", "%[kind]_admin_role.yaml") + } + + } + f.Path = f.Resource.Replacer().Replace(f.Path) + + if f.RoleName == "" { + if f.MultiGroup && f.Resource.Group != "" { + f.RoleName = fmt.Sprintf("%s-%s-admin-role", + strings.ToLower(f.Resource.Group), + strings.ToLower(f.Resource.Kind)) + } else { + f.RoleName = fmt.Sprintf("%s-admin-role", + strings.ToLower(f.Resource.Kind)) + } + } + + f.TemplateBody = crdRoleAdminTemplate + + return nil +} + +const crdRoleAdminTemplate = `# This rule is not used by the project {{ .ProjectName }} itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants full permissions ('*') over {{ .Resource.QualifiedGroup }}. +# This role is intended for users authorized to modify roles and bindings within the cluster, +# enabling them to delegate specific permissions to other users or groups as needed. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: {{ .ProjectName }} + app.kubernetes.io/managed-by: kustomize + name: {{ .RoleName }} +rules: +- apiGroups: + - {{ .Resource.QualifiedGroup }} + resources: + - {{ .Resource.Plural }} + verbs: + - '*' +- apiGroups: + - {{ .Resource.QualifiedGroup }} + resources: + - {{ .Resource.Plural }}/status + verbs: + - get +` diff --git a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/crd_editor_role.go b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/crd_editor_role.go index c7668c821b2..554968840b6 100644 --- a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/crd_editor_role.go +++ b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/crd_editor_role.go @@ -65,7 +65,13 @@ func (f *CRDEditorRole) SetTemplateDefaults() error { return nil } -const crdRoleEditorTemplate = `# permissions for end users to edit {{ .Resource.Plural }}. +const crdRoleEditorTemplate = `# This rule is not used by the project {{ .ProjectName }} itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants permissions to create, update, and delete resources within the {{ .Resource.QualifiedGroup }}. +# This role is intended for users who need to manage these resources +# but should not control RBAC or manage permissions for others. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/crd_viewer_role.go b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/crd_viewer_role.go index 18d3f0a5785..639ebf80b2c 100644 --- a/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/crd_viewer_role.go +++ b/pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/rbac/crd_viewer_role.go @@ -65,7 +65,13 @@ func (f *CRDViewerRole) SetTemplateDefaults() error { return nil } -const crdRoleViewerTemplate = `# permissions for end users to view {{ .Resource.Plural }}. +const crdRoleViewerTemplate = `# This rule is not used by the project {{ .ProjectName }} itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants read-only access to {{ .Resource.QualifiedGroup }} resources. +# This role is intended for users who need visibility into these resources +# without permissions to modify them. It is ideal for monitoring purposes and limited-access viewing. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/testdata/project-v4-multigroup/config/rbac/crew_captain_admin_role.yaml b/testdata/project-v4-multigroup/config/rbac/crew_captain_admin_role.yaml new file mode 100644 index 00000000000..988002fb2c9 --- /dev/null +++ b/testdata/project-v4-multigroup/config/rbac/crew_captain_admin_role.yaml @@ -0,0 +1,27 @@ +# This rule is not used by the project project-v4-multigroup itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants full permissions ('*') over crew.testproject.org. +# This role is intended for users authorized to modify roles and bindings within the cluster, +# enabling them to delegate specific permissions to other users or groups as needed. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: project-v4-multigroup + app.kubernetes.io/managed-by: kustomize + name: crew-captain-admin-role +rules: +- apiGroups: + - crew.testproject.org + resources: + - captains + verbs: + - '*' +- apiGroups: + - crew.testproject.org + resources: + - captains/status + verbs: + - get diff --git a/testdata/project-v4-multigroup/config/rbac/crew_captain_editor_role.yaml b/testdata/project-v4-multigroup/config/rbac/crew_captain_editor_role.yaml index c6a33cbfbda..f7c2c684cb2 100644 --- a/testdata/project-v4-multigroup/config/rbac/crew_captain_editor_role.yaml +++ b/testdata/project-v4-multigroup/config/rbac/crew_captain_editor_role.yaml @@ -1,4 +1,10 @@ -# permissions for end users to edit captains. +# This rule is not used by the project project-v4-multigroup itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants permissions to create, update, and delete resources within the crew.testproject.org. +# This role is intended for users who need to manage these resources +# but should not control RBAC or manage permissions for others. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/testdata/project-v4-multigroup/config/rbac/crew_captain_viewer_role.yaml b/testdata/project-v4-multigroup/config/rbac/crew_captain_viewer_role.yaml index 7d723490e56..ee61648dcbe 100644 --- a/testdata/project-v4-multigroup/config/rbac/crew_captain_viewer_role.yaml +++ b/testdata/project-v4-multigroup/config/rbac/crew_captain_viewer_role.yaml @@ -1,4 +1,10 @@ -# permissions for end users to view captains. +# This rule is not used by the project project-v4-multigroup itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants read-only access to crew.testproject.org resources. +# This role is intended for users who need visibility into these resources +# without permissions to modify them. It is ideal for monitoring purposes and limited-access viewing. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/testdata/project-v4-multigroup/config/rbac/example.com_busybox_admin_role.yaml b/testdata/project-v4-multigroup/config/rbac/example.com_busybox_admin_role.yaml new file mode 100644 index 00000000000..fa7bd0bca23 --- /dev/null +++ b/testdata/project-v4-multigroup/config/rbac/example.com_busybox_admin_role.yaml @@ -0,0 +1,27 @@ +# This rule is not used by the project project-v4-multigroup itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants full permissions ('*') over example.com.testproject.org. +# This role is intended for users authorized to modify roles and bindings within the cluster, +# enabling them to delegate specific permissions to other users or groups as needed. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: project-v4-multigroup + app.kubernetes.io/managed-by: kustomize + name: example.com-busybox-admin-role +rules: +- apiGroups: + - example.com.testproject.org + resources: + - busyboxes + verbs: + - '*' +- apiGroups: + - example.com.testproject.org + resources: + - busyboxes/status + verbs: + - get diff --git a/testdata/project-v4-multigroup/config/rbac/example.com_busybox_editor_role.yaml b/testdata/project-v4-multigroup/config/rbac/example.com_busybox_editor_role.yaml index bcaffc621e4..921538e9646 100644 --- a/testdata/project-v4-multigroup/config/rbac/example.com_busybox_editor_role.yaml +++ b/testdata/project-v4-multigroup/config/rbac/example.com_busybox_editor_role.yaml @@ -1,4 +1,10 @@ -# permissions for end users to edit busyboxes. +# This rule is not used by the project project-v4-multigroup itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants permissions to create, update, and delete resources within the example.com.testproject.org. +# This role is intended for users who need to manage these resources +# but should not control RBAC or manage permissions for others. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/testdata/project-v4-multigroup/config/rbac/example.com_busybox_viewer_role.yaml b/testdata/project-v4-multigroup/config/rbac/example.com_busybox_viewer_role.yaml index c4121f22e51..a1c9b6225d1 100644 --- a/testdata/project-v4-multigroup/config/rbac/example.com_busybox_viewer_role.yaml +++ b/testdata/project-v4-multigroup/config/rbac/example.com_busybox_viewer_role.yaml @@ -1,4 +1,10 @@ -# permissions for end users to view busyboxes. +# This rule is not used by the project project-v4-multigroup itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants read-only access to example.com.testproject.org resources. +# This role is intended for users who need visibility into these resources +# without permissions to modify them. It is ideal for monitoring purposes and limited-access viewing. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/testdata/project-v4-multigroup/config/rbac/example.com_memcached_admin_role.yaml b/testdata/project-v4-multigroup/config/rbac/example.com_memcached_admin_role.yaml new file mode 100644 index 00000000000..592c5c26e83 --- /dev/null +++ b/testdata/project-v4-multigroup/config/rbac/example.com_memcached_admin_role.yaml @@ -0,0 +1,27 @@ +# This rule is not used by the project project-v4-multigroup itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants full permissions ('*') over example.com.testproject.org. +# This role is intended for users authorized to modify roles and bindings within the cluster, +# enabling them to delegate specific permissions to other users or groups as needed. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: project-v4-multigroup + app.kubernetes.io/managed-by: kustomize + name: example.com-memcached-admin-role +rules: +- apiGroups: + - example.com.testproject.org + resources: + - memcacheds + verbs: + - '*' +- apiGroups: + - example.com.testproject.org + resources: + - memcacheds/status + verbs: + - get diff --git a/testdata/project-v4-multigroup/config/rbac/example.com_memcached_editor_role.yaml b/testdata/project-v4-multigroup/config/rbac/example.com_memcached_editor_role.yaml index e5e1036db95..2de60b2cb5b 100644 --- a/testdata/project-v4-multigroup/config/rbac/example.com_memcached_editor_role.yaml +++ b/testdata/project-v4-multigroup/config/rbac/example.com_memcached_editor_role.yaml @@ -1,4 +1,10 @@ -# permissions for end users to edit memcacheds. +# This rule is not used by the project project-v4-multigroup itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants permissions to create, update, and delete resources within the example.com.testproject.org. +# This role is intended for users who need to manage these resources +# but should not control RBAC or manage permissions for others. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/testdata/project-v4-multigroup/config/rbac/example.com_memcached_viewer_role.yaml b/testdata/project-v4-multigroup/config/rbac/example.com_memcached_viewer_role.yaml index 0bd3312686d..a8dc440ac70 100644 --- a/testdata/project-v4-multigroup/config/rbac/example.com_memcached_viewer_role.yaml +++ b/testdata/project-v4-multigroup/config/rbac/example.com_memcached_viewer_role.yaml @@ -1,4 +1,10 @@ -# permissions for end users to view memcacheds. +# This rule is not used by the project project-v4-multigroup itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants read-only access to example.com.testproject.org resources. +# This role is intended for users who need visibility into these resources +# without permissions to modify them. It is ideal for monitoring purposes and limited-access viewing. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/testdata/project-v4-multigroup/config/rbac/example.com_wordpress_admin_role.yaml b/testdata/project-v4-multigroup/config/rbac/example.com_wordpress_admin_role.yaml new file mode 100644 index 00000000000..b2bd9b39bbb --- /dev/null +++ b/testdata/project-v4-multigroup/config/rbac/example.com_wordpress_admin_role.yaml @@ -0,0 +1,27 @@ +# This rule is not used by the project project-v4-multigroup itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants full permissions ('*') over example.com.testproject.org. +# This role is intended for users authorized to modify roles and bindings within the cluster, +# enabling them to delegate specific permissions to other users or groups as needed. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: project-v4-multigroup + app.kubernetes.io/managed-by: kustomize + name: example.com-wordpress-admin-role +rules: +- apiGroups: + - example.com.testproject.org + resources: + - wordpresses + verbs: + - '*' +- apiGroups: + - example.com.testproject.org + resources: + - wordpresses/status + verbs: + - get diff --git a/testdata/project-v4-multigroup/config/rbac/example.com_wordpress_editor_role.yaml b/testdata/project-v4-multigroup/config/rbac/example.com_wordpress_editor_role.yaml index 952b9f79f16..11ef9173dd8 100644 --- a/testdata/project-v4-multigroup/config/rbac/example.com_wordpress_editor_role.yaml +++ b/testdata/project-v4-multigroup/config/rbac/example.com_wordpress_editor_role.yaml @@ -1,4 +1,10 @@ -# permissions for end users to edit wordpresses. +# This rule is not used by the project project-v4-multigroup itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants permissions to create, update, and delete resources within the example.com.testproject.org. +# This role is intended for users who need to manage these resources +# but should not control RBAC or manage permissions for others. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/testdata/project-v4-multigroup/config/rbac/example.com_wordpress_viewer_role.yaml b/testdata/project-v4-multigroup/config/rbac/example.com_wordpress_viewer_role.yaml index bfc87af1aff..00bf6d1cdcf 100644 --- a/testdata/project-v4-multigroup/config/rbac/example.com_wordpress_viewer_role.yaml +++ b/testdata/project-v4-multigroup/config/rbac/example.com_wordpress_viewer_role.yaml @@ -1,4 +1,10 @@ -# permissions for end users to view wordpresses. +# This rule is not used by the project project-v4-multigroup itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants read-only access to example.com.testproject.org resources. +# This role is intended for users who need visibility into these resources +# without permissions to modify them. It is ideal for monitoring purposes and limited-access viewing. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/testdata/project-v4-multigroup/config/rbac/fiz_bar_admin_role.yaml b/testdata/project-v4-multigroup/config/rbac/fiz_bar_admin_role.yaml new file mode 100644 index 00000000000..4cbc9530277 --- /dev/null +++ b/testdata/project-v4-multigroup/config/rbac/fiz_bar_admin_role.yaml @@ -0,0 +1,27 @@ +# This rule is not used by the project project-v4-multigroup itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants full permissions ('*') over fiz.testproject.org. +# This role is intended for users authorized to modify roles and bindings within the cluster, +# enabling them to delegate specific permissions to other users or groups as needed. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: project-v4-multigroup + app.kubernetes.io/managed-by: kustomize + name: fiz-bar-admin-role +rules: +- apiGroups: + - fiz.testproject.org + resources: + - bars + verbs: + - '*' +- apiGroups: + - fiz.testproject.org + resources: + - bars/status + verbs: + - get diff --git a/testdata/project-v4-multigroup/config/rbac/fiz_bar_editor_role.yaml b/testdata/project-v4-multigroup/config/rbac/fiz_bar_editor_role.yaml index 6ce5d8f2ef9..2a1ac148d3a 100644 --- a/testdata/project-v4-multigroup/config/rbac/fiz_bar_editor_role.yaml +++ b/testdata/project-v4-multigroup/config/rbac/fiz_bar_editor_role.yaml @@ -1,4 +1,10 @@ -# permissions for end users to edit bars. +# This rule is not used by the project project-v4-multigroup itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants permissions to create, update, and delete resources within the fiz.testproject.org. +# This role is intended for users who need to manage these resources +# but should not control RBAC or manage permissions for others. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/testdata/project-v4-multigroup/config/rbac/fiz_bar_viewer_role.yaml b/testdata/project-v4-multigroup/config/rbac/fiz_bar_viewer_role.yaml index 744a0a955c0..a1dcd036251 100644 --- a/testdata/project-v4-multigroup/config/rbac/fiz_bar_viewer_role.yaml +++ b/testdata/project-v4-multigroup/config/rbac/fiz_bar_viewer_role.yaml @@ -1,4 +1,10 @@ -# permissions for end users to view bars. +# This rule is not used by the project project-v4-multigroup itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants read-only access to fiz.testproject.org resources. +# This role is intended for users who need visibility into these resources +# without permissions to modify them. It is ideal for monitoring purposes and limited-access viewing. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/testdata/project-v4-multigroup/config/rbac/foo.policy_healthcheckpolicy_admin_role.yaml b/testdata/project-v4-multigroup/config/rbac/foo.policy_healthcheckpolicy_admin_role.yaml new file mode 100644 index 00000000000..8ac2503e11e --- /dev/null +++ b/testdata/project-v4-multigroup/config/rbac/foo.policy_healthcheckpolicy_admin_role.yaml @@ -0,0 +1,27 @@ +# This rule is not used by the project project-v4-multigroup itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants full permissions ('*') over foo.policy.testproject.org. +# This role is intended for users authorized to modify roles and bindings within the cluster, +# enabling them to delegate specific permissions to other users or groups as needed. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: project-v4-multigroup + app.kubernetes.io/managed-by: kustomize + name: foo.policy-healthcheckpolicy-admin-role +rules: +- apiGroups: + - foo.policy.testproject.org + resources: + - healthcheckpolicies + verbs: + - '*' +- apiGroups: + - foo.policy.testproject.org + resources: + - healthcheckpolicies/status + verbs: + - get diff --git a/testdata/project-v4-multigroup/config/rbac/foo.policy_healthcheckpolicy_editor_role.yaml b/testdata/project-v4-multigroup/config/rbac/foo.policy_healthcheckpolicy_editor_role.yaml index 66fa7944f70..fcd9a3f4412 100644 --- a/testdata/project-v4-multigroup/config/rbac/foo.policy_healthcheckpolicy_editor_role.yaml +++ b/testdata/project-v4-multigroup/config/rbac/foo.policy_healthcheckpolicy_editor_role.yaml @@ -1,4 +1,10 @@ -# permissions for end users to edit healthcheckpolicies. +# This rule is not used by the project project-v4-multigroup itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants permissions to create, update, and delete resources within the foo.policy.testproject.org. +# This role is intended for users who need to manage these resources +# but should not control RBAC or manage permissions for others. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/testdata/project-v4-multigroup/config/rbac/foo.policy_healthcheckpolicy_viewer_role.yaml b/testdata/project-v4-multigroup/config/rbac/foo.policy_healthcheckpolicy_viewer_role.yaml index dff3ea7abc0..1c80f81feb6 100644 --- a/testdata/project-v4-multigroup/config/rbac/foo.policy_healthcheckpolicy_viewer_role.yaml +++ b/testdata/project-v4-multigroup/config/rbac/foo.policy_healthcheckpolicy_viewer_role.yaml @@ -1,4 +1,10 @@ -# permissions for end users to view healthcheckpolicies. +# This rule is not used by the project project-v4-multigroup itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants read-only access to foo.policy.testproject.org resources. +# This role is intended for users who need visibility into these resources +# without permissions to modify them. It is ideal for monitoring purposes and limited-access viewing. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/testdata/project-v4-multigroup/config/rbac/foo_bar_admin_role.yaml b/testdata/project-v4-multigroup/config/rbac/foo_bar_admin_role.yaml new file mode 100644 index 00000000000..17fc4b953c8 --- /dev/null +++ b/testdata/project-v4-multigroup/config/rbac/foo_bar_admin_role.yaml @@ -0,0 +1,27 @@ +# This rule is not used by the project project-v4-multigroup itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants full permissions ('*') over foo.testproject.org. +# This role is intended for users authorized to modify roles and bindings within the cluster, +# enabling them to delegate specific permissions to other users or groups as needed. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: project-v4-multigroup + app.kubernetes.io/managed-by: kustomize + name: foo-bar-admin-role +rules: +- apiGroups: + - foo.testproject.org + resources: + - bars + verbs: + - '*' +- apiGroups: + - foo.testproject.org + resources: + - bars/status + verbs: + - get diff --git a/testdata/project-v4-multigroup/config/rbac/foo_bar_editor_role.yaml b/testdata/project-v4-multigroup/config/rbac/foo_bar_editor_role.yaml index f05089941a4..005631674c8 100644 --- a/testdata/project-v4-multigroup/config/rbac/foo_bar_editor_role.yaml +++ b/testdata/project-v4-multigroup/config/rbac/foo_bar_editor_role.yaml @@ -1,4 +1,10 @@ -# permissions for end users to edit bars. +# This rule is not used by the project project-v4-multigroup itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants permissions to create, update, and delete resources within the foo.testproject.org. +# This role is intended for users who need to manage these resources +# but should not control RBAC or manage permissions for others. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/testdata/project-v4-multigroup/config/rbac/foo_bar_viewer_role.yaml b/testdata/project-v4-multigroup/config/rbac/foo_bar_viewer_role.yaml index eabf9ee517b..dba94237de9 100644 --- a/testdata/project-v4-multigroup/config/rbac/foo_bar_viewer_role.yaml +++ b/testdata/project-v4-multigroup/config/rbac/foo_bar_viewer_role.yaml @@ -1,4 +1,10 @@ -# permissions for end users to view bars. +# This rule is not used by the project project-v4-multigroup itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants read-only access to foo.testproject.org resources. +# This role is intended for users who need visibility into these resources +# without permissions to modify them. It is ideal for monitoring purposes and limited-access viewing. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/testdata/project-v4-multigroup/config/rbac/kustomization.yaml b/testdata/project-v4-multigroup/config/rbac/kustomization.yaml index bea2c901ef8..7bdeb3156c2 100644 --- a/testdata/project-v4-multigroup/config/rbac/kustomization.yaml +++ b/testdata/project-v4-multigroup/config/rbac/kustomization.yaml @@ -18,32 +18,44 @@ resources: - metrics_auth_role.yaml - metrics_auth_role_binding.yaml - metrics_reader_role.yaml -# For each CRD, "Editor" and "Viewer" roles are scaffolded by +# For each CRD, "Admin", "Editor" and "Viewer" roles are scaffolded by # default, aiding admins in cluster management. Those roles are -# not used by the Project itself. You can comment the following lines +# not used by the {{ .ProjectName }} itself. You can comment the following lines # if you do not want those helpers be installed with your Project. +- example.com_wordpress_admin_role.yaml - example.com_wordpress_editor_role.yaml - example.com_wordpress_viewer_role.yaml +- example.com_busybox_admin_role.yaml - example.com_busybox_editor_role.yaml - example.com_busybox_viewer_role.yaml +- example.com_memcached_admin_role.yaml - example.com_memcached_editor_role.yaml - example.com_memcached_viewer_role.yaml +- fiz_bar_admin_role.yaml - fiz_bar_editor_role.yaml - fiz_bar_viewer_role.yaml +- foo_bar_admin_role.yaml - foo_bar_editor_role.yaml - foo_bar_viewer_role.yaml +- foo.policy_healthcheckpolicy_admin_role.yaml - foo.policy_healthcheckpolicy_editor_role.yaml - foo.policy_healthcheckpolicy_viewer_role.yaml +- sea-creatures_leviathan_admin_role.yaml - sea-creatures_leviathan_editor_role.yaml - sea-creatures_leviathan_viewer_role.yaml +- sea-creatures_kraken_admin_role.yaml - sea-creatures_kraken_editor_role.yaml - sea-creatures_kraken_viewer_role.yaml +- ship_cruiser_admin_role.yaml - ship_cruiser_editor_role.yaml - ship_cruiser_viewer_role.yaml +- ship_destroyer_admin_role.yaml - ship_destroyer_editor_role.yaml - ship_destroyer_viewer_role.yaml +- ship_frigate_admin_role.yaml - ship_frigate_editor_role.yaml - ship_frigate_viewer_role.yaml +- crew_captain_admin_role.yaml - crew_captain_editor_role.yaml - crew_captain_viewer_role.yaml diff --git a/testdata/project-v4-multigroup/config/rbac/sea-creatures_kraken_admin_role.yaml b/testdata/project-v4-multigroup/config/rbac/sea-creatures_kraken_admin_role.yaml new file mode 100644 index 00000000000..622fd9c6fc4 --- /dev/null +++ b/testdata/project-v4-multigroup/config/rbac/sea-creatures_kraken_admin_role.yaml @@ -0,0 +1,27 @@ +# This rule is not used by the project project-v4-multigroup itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants full permissions ('*') over sea-creatures.testproject.org. +# This role is intended for users authorized to modify roles and bindings within the cluster, +# enabling them to delegate specific permissions to other users or groups as needed. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: project-v4-multigroup + app.kubernetes.io/managed-by: kustomize + name: sea-creatures-kraken-admin-role +rules: +- apiGroups: + - sea-creatures.testproject.org + resources: + - krakens + verbs: + - '*' +- apiGroups: + - sea-creatures.testproject.org + resources: + - krakens/status + verbs: + - get diff --git a/testdata/project-v4-multigroup/config/rbac/sea-creatures_kraken_editor_role.yaml b/testdata/project-v4-multigroup/config/rbac/sea-creatures_kraken_editor_role.yaml index 1d372dccf66..e815c7be02b 100644 --- a/testdata/project-v4-multigroup/config/rbac/sea-creatures_kraken_editor_role.yaml +++ b/testdata/project-v4-multigroup/config/rbac/sea-creatures_kraken_editor_role.yaml @@ -1,4 +1,10 @@ -# permissions for end users to edit krakens. +# This rule is not used by the project project-v4-multigroup itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants permissions to create, update, and delete resources within the sea-creatures.testproject.org. +# This role is intended for users who need to manage these resources +# but should not control RBAC or manage permissions for others. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/testdata/project-v4-multigroup/config/rbac/sea-creatures_kraken_viewer_role.yaml b/testdata/project-v4-multigroup/config/rbac/sea-creatures_kraken_viewer_role.yaml index a65c4916546..91882420495 100644 --- a/testdata/project-v4-multigroup/config/rbac/sea-creatures_kraken_viewer_role.yaml +++ b/testdata/project-v4-multigroup/config/rbac/sea-creatures_kraken_viewer_role.yaml @@ -1,4 +1,10 @@ -# permissions for end users to view krakens. +# This rule is not used by the project project-v4-multigroup itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants read-only access to sea-creatures.testproject.org resources. +# This role is intended for users who need visibility into these resources +# without permissions to modify them. It is ideal for monitoring purposes and limited-access viewing. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/testdata/project-v4-multigroup/config/rbac/sea-creatures_leviathan_admin_role.yaml b/testdata/project-v4-multigroup/config/rbac/sea-creatures_leviathan_admin_role.yaml new file mode 100644 index 00000000000..c11d7afb069 --- /dev/null +++ b/testdata/project-v4-multigroup/config/rbac/sea-creatures_leviathan_admin_role.yaml @@ -0,0 +1,27 @@ +# This rule is not used by the project project-v4-multigroup itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants full permissions ('*') over sea-creatures.testproject.org. +# This role is intended for users authorized to modify roles and bindings within the cluster, +# enabling them to delegate specific permissions to other users or groups as needed. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: project-v4-multigroup + app.kubernetes.io/managed-by: kustomize + name: sea-creatures-leviathan-admin-role +rules: +- apiGroups: + - sea-creatures.testproject.org + resources: + - leviathans + verbs: + - '*' +- apiGroups: + - sea-creatures.testproject.org + resources: + - leviathans/status + verbs: + - get diff --git a/testdata/project-v4-multigroup/config/rbac/sea-creatures_leviathan_editor_role.yaml b/testdata/project-v4-multigroup/config/rbac/sea-creatures_leviathan_editor_role.yaml index 77d2ff19c22..b8521e15c9e 100644 --- a/testdata/project-v4-multigroup/config/rbac/sea-creatures_leviathan_editor_role.yaml +++ b/testdata/project-v4-multigroup/config/rbac/sea-creatures_leviathan_editor_role.yaml @@ -1,4 +1,10 @@ -# permissions for end users to edit leviathans. +# This rule is not used by the project project-v4-multigroup itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants permissions to create, update, and delete resources within the sea-creatures.testproject.org. +# This role is intended for users who need to manage these resources +# but should not control RBAC or manage permissions for others. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/testdata/project-v4-multigroup/config/rbac/sea-creatures_leviathan_viewer_role.yaml b/testdata/project-v4-multigroup/config/rbac/sea-creatures_leviathan_viewer_role.yaml index e0344e4699b..470eec79564 100644 --- a/testdata/project-v4-multigroup/config/rbac/sea-creatures_leviathan_viewer_role.yaml +++ b/testdata/project-v4-multigroup/config/rbac/sea-creatures_leviathan_viewer_role.yaml @@ -1,4 +1,10 @@ -# permissions for end users to view leviathans. +# This rule is not used by the project project-v4-multigroup itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants read-only access to sea-creatures.testproject.org resources. +# This role is intended for users who need visibility into these resources +# without permissions to modify them. It is ideal for monitoring purposes and limited-access viewing. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/testdata/project-v4-multigroup/config/rbac/ship_cruiser_admin_role.yaml b/testdata/project-v4-multigroup/config/rbac/ship_cruiser_admin_role.yaml new file mode 100644 index 00000000000..e473511fa69 --- /dev/null +++ b/testdata/project-v4-multigroup/config/rbac/ship_cruiser_admin_role.yaml @@ -0,0 +1,27 @@ +# This rule is not used by the project project-v4-multigroup itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants full permissions ('*') over ship.testproject.org. +# This role is intended for users authorized to modify roles and bindings within the cluster, +# enabling them to delegate specific permissions to other users or groups as needed. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: project-v4-multigroup + app.kubernetes.io/managed-by: kustomize + name: ship-cruiser-admin-role +rules: +- apiGroups: + - ship.testproject.org + resources: + - cruisers + verbs: + - '*' +- apiGroups: + - ship.testproject.org + resources: + - cruisers/status + verbs: + - get diff --git a/testdata/project-v4-multigroup/config/rbac/ship_cruiser_editor_role.yaml b/testdata/project-v4-multigroup/config/rbac/ship_cruiser_editor_role.yaml index 32a0bcaf91e..b8a8d4f2ba8 100644 --- a/testdata/project-v4-multigroup/config/rbac/ship_cruiser_editor_role.yaml +++ b/testdata/project-v4-multigroup/config/rbac/ship_cruiser_editor_role.yaml @@ -1,4 +1,10 @@ -# permissions for end users to edit cruisers. +# This rule is not used by the project project-v4-multigroup itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants permissions to create, update, and delete resources within the ship.testproject.org. +# This role is intended for users who need to manage these resources +# but should not control RBAC or manage permissions for others. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/testdata/project-v4-multigroup/config/rbac/ship_cruiser_viewer_role.yaml b/testdata/project-v4-multigroup/config/rbac/ship_cruiser_viewer_role.yaml index 287ffcc397a..266a0c69326 100644 --- a/testdata/project-v4-multigroup/config/rbac/ship_cruiser_viewer_role.yaml +++ b/testdata/project-v4-multigroup/config/rbac/ship_cruiser_viewer_role.yaml @@ -1,4 +1,10 @@ -# permissions for end users to view cruisers. +# This rule is not used by the project project-v4-multigroup itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants read-only access to ship.testproject.org resources. +# This role is intended for users who need visibility into these resources +# without permissions to modify them. It is ideal for monitoring purposes and limited-access viewing. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/testdata/project-v4-multigroup/config/rbac/ship_destroyer_admin_role.yaml b/testdata/project-v4-multigroup/config/rbac/ship_destroyer_admin_role.yaml new file mode 100644 index 00000000000..c7b40fff406 --- /dev/null +++ b/testdata/project-v4-multigroup/config/rbac/ship_destroyer_admin_role.yaml @@ -0,0 +1,27 @@ +# This rule is not used by the project project-v4-multigroup itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants full permissions ('*') over ship.testproject.org. +# This role is intended for users authorized to modify roles and bindings within the cluster, +# enabling them to delegate specific permissions to other users or groups as needed. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: project-v4-multigroup + app.kubernetes.io/managed-by: kustomize + name: ship-destroyer-admin-role +rules: +- apiGroups: + - ship.testproject.org + resources: + - destroyers + verbs: + - '*' +- apiGroups: + - ship.testproject.org + resources: + - destroyers/status + verbs: + - get diff --git a/testdata/project-v4-multigroup/config/rbac/ship_destroyer_editor_role.yaml b/testdata/project-v4-multigroup/config/rbac/ship_destroyer_editor_role.yaml index 8b0aa1da540..00ef05e933c 100644 --- a/testdata/project-v4-multigroup/config/rbac/ship_destroyer_editor_role.yaml +++ b/testdata/project-v4-multigroup/config/rbac/ship_destroyer_editor_role.yaml @@ -1,4 +1,10 @@ -# permissions for end users to edit destroyers. +# This rule is not used by the project project-v4-multigroup itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants permissions to create, update, and delete resources within the ship.testproject.org. +# This role is intended for users who need to manage these resources +# but should not control RBAC or manage permissions for others. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/testdata/project-v4-multigroup/config/rbac/ship_destroyer_viewer_role.yaml b/testdata/project-v4-multigroup/config/rbac/ship_destroyer_viewer_role.yaml index 027ff57455a..d598c1ef65a 100644 --- a/testdata/project-v4-multigroup/config/rbac/ship_destroyer_viewer_role.yaml +++ b/testdata/project-v4-multigroup/config/rbac/ship_destroyer_viewer_role.yaml @@ -1,4 +1,10 @@ -# permissions for end users to view destroyers. +# This rule is not used by the project project-v4-multigroup itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants read-only access to ship.testproject.org resources. +# This role is intended for users who need visibility into these resources +# without permissions to modify them. It is ideal for monitoring purposes and limited-access viewing. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/testdata/project-v4-multigroup/config/rbac/ship_frigate_admin_role.yaml b/testdata/project-v4-multigroup/config/rbac/ship_frigate_admin_role.yaml new file mode 100644 index 00000000000..85d6ec140ac --- /dev/null +++ b/testdata/project-v4-multigroup/config/rbac/ship_frigate_admin_role.yaml @@ -0,0 +1,27 @@ +# This rule is not used by the project project-v4-multigroup itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants full permissions ('*') over ship.testproject.org. +# This role is intended for users authorized to modify roles and bindings within the cluster, +# enabling them to delegate specific permissions to other users or groups as needed. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: project-v4-multigroup + app.kubernetes.io/managed-by: kustomize + name: ship-frigate-admin-role +rules: +- apiGroups: + - ship.testproject.org + resources: + - frigates + verbs: + - '*' +- apiGroups: + - ship.testproject.org + resources: + - frigates/status + verbs: + - get diff --git a/testdata/project-v4-multigroup/config/rbac/ship_frigate_editor_role.yaml b/testdata/project-v4-multigroup/config/rbac/ship_frigate_editor_role.yaml index d0b243c8886..569d8e9927a 100644 --- a/testdata/project-v4-multigroup/config/rbac/ship_frigate_editor_role.yaml +++ b/testdata/project-v4-multigroup/config/rbac/ship_frigate_editor_role.yaml @@ -1,4 +1,10 @@ -# permissions for end users to edit frigates. +# This rule is not used by the project project-v4-multigroup itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants permissions to create, update, and delete resources within the ship.testproject.org. +# This role is intended for users who need to manage these resources +# but should not control RBAC or manage permissions for others. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/testdata/project-v4-multigroup/config/rbac/ship_frigate_viewer_role.yaml b/testdata/project-v4-multigroup/config/rbac/ship_frigate_viewer_role.yaml index f8d54802480..aecad6cf652 100644 --- a/testdata/project-v4-multigroup/config/rbac/ship_frigate_viewer_role.yaml +++ b/testdata/project-v4-multigroup/config/rbac/ship_frigate_viewer_role.yaml @@ -1,4 +1,10 @@ -# permissions for end users to view frigates. +# This rule is not used by the project project-v4-multigroup itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants read-only access to ship.testproject.org resources. +# This role is intended for users who need visibility into these resources +# without permissions to modify them. It is ideal for monitoring purposes and limited-access viewing. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/testdata/project-v4-multigroup/dist/install.yaml b/testdata/project-v4-multigroup/dist/install.yaml index 9314e157316..48d48cda351 100644 --- a/testdata/project-v4-multigroup/dist/install.yaml +++ b/testdata/project-v4-multigroup/dist/install.yaml @@ -884,6 +884,27 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: project-v4-multigroup + name: project-v4-multigroup-crew-captain-admin-role +rules: +- apiGroups: + - crew.testproject.org + resources: + - captains + verbs: + - '*' +- apiGroups: + - crew.testproject.org + resources: + - captains/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: labels: app.kubernetes.io/managed-by: kustomize @@ -934,6 +955,27 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: project-v4-multigroup + name: project-v4-multigroup-example.com-busybox-admin-role +rules: +- apiGroups: + - example.com.testproject.org + resources: + - busyboxes + verbs: + - '*' +- apiGroups: + - example.com.testproject.org + resources: + - busyboxes/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: labels: app.kubernetes.io/managed-by: kustomize @@ -984,6 +1026,27 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: project-v4-multigroup + name: project-v4-multigroup-example.com-memcached-admin-role +rules: +- apiGroups: + - example.com.testproject.org + resources: + - memcacheds + verbs: + - '*' +- apiGroups: + - example.com.testproject.org + resources: + - memcacheds/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: labels: app.kubernetes.io/managed-by: kustomize @@ -1034,6 +1097,27 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: project-v4-multigroup + name: project-v4-multigroup-example.com-wordpress-admin-role +rules: +- apiGroups: + - example.com.testproject.org + resources: + - wordpresses + verbs: + - '*' +- apiGroups: + - example.com.testproject.org + resources: + - wordpresses/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: labels: app.kubernetes.io/managed-by: kustomize @@ -1084,6 +1168,27 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: project-v4-multigroup + name: project-v4-multigroup-fiz-bar-admin-role +rules: +- apiGroups: + - fiz.testproject.org + resources: + - bars + verbs: + - '*' +- apiGroups: + - fiz.testproject.org + resources: + - bars/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: labels: app.kubernetes.io/managed-by: kustomize @@ -1134,6 +1239,27 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: project-v4-multigroup + name: project-v4-multigroup-foo-bar-admin-role +rules: +- apiGroups: + - foo.testproject.org + resources: + - bars + verbs: + - '*' +- apiGroups: + - foo.testproject.org + resources: + - bars/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: labels: app.kubernetes.io/managed-by: kustomize @@ -1184,6 +1310,27 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: project-v4-multigroup + name: project-v4-multigroup-foo.policy-healthcheckpolicy-admin-role +rules: +- apiGroups: + - foo.policy.testproject.org + resources: + - healthcheckpolicies + verbs: + - '*' +- apiGroups: + - foo.policy.testproject.org + resources: + - healthcheckpolicies/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: labels: app.kubernetes.io/managed-by: kustomize @@ -1509,6 +1656,27 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: project-v4-multigroup + name: project-v4-multigroup-sea-creatures-kraken-admin-role +rules: +- apiGroups: + - sea-creatures.testproject.org + resources: + - krakens + verbs: + - '*' +- apiGroups: + - sea-creatures.testproject.org + resources: + - krakens/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: labels: app.kubernetes.io/managed-by: kustomize @@ -1559,6 +1727,27 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: project-v4-multigroup + name: project-v4-multigroup-sea-creatures-leviathan-admin-role +rules: +- apiGroups: + - sea-creatures.testproject.org + resources: + - leviathans + verbs: + - '*' +- apiGroups: + - sea-creatures.testproject.org + resources: + - leviathans/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: labels: app.kubernetes.io/managed-by: kustomize @@ -1609,6 +1798,27 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: project-v4-multigroup + name: project-v4-multigroup-ship-cruiser-admin-role +rules: +- apiGroups: + - ship.testproject.org + resources: + - cruisers + verbs: + - '*' +- apiGroups: + - ship.testproject.org + resources: + - cruisers/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: labels: app.kubernetes.io/managed-by: kustomize @@ -1659,6 +1869,27 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: project-v4-multigroup + name: project-v4-multigroup-ship-destroyer-admin-role +rules: +- apiGroups: + - ship.testproject.org + resources: + - destroyers + verbs: + - '*' +- apiGroups: + - ship.testproject.org + resources: + - destroyers/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: labels: app.kubernetes.io/managed-by: kustomize @@ -1709,6 +1940,27 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: project-v4-multigroup + name: project-v4-multigroup-ship-frigate-admin-role +rules: +- apiGroups: + - ship.testproject.org + resources: + - frigates + verbs: + - '*' +- apiGroups: + - ship.testproject.org + resources: + - frigates/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: labels: app.kubernetes.io/managed-by: kustomize diff --git a/testdata/project-v4-with-plugins/config/rbac/busybox_admin_role.yaml b/testdata/project-v4-with-plugins/config/rbac/busybox_admin_role.yaml new file mode 100644 index 00000000000..07bb7ff7d35 --- /dev/null +++ b/testdata/project-v4-with-plugins/config/rbac/busybox_admin_role.yaml @@ -0,0 +1,27 @@ +# This rule is not used by the project project-v4-with-plugins itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants full permissions ('*') over example.com.testproject.org. +# This role is intended for users authorized to modify roles and bindings within the cluster, +# enabling them to delegate specific permissions to other users or groups as needed. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: project-v4-with-plugins + app.kubernetes.io/managed-by: kustomize + name: busybox-admin-role +rules: +- apiGroups: + - example.com.testproject.org + resources: + - busyboxes + verbs: + - '*' +- apiGroups: + - example.com.testproject.org + resources: + - busyboxes/status + verbs: + - get diff --git a/testdata/project-v4-with-plugins/config/rbac/busybox_editor_role.yaml b/testdata/project-v4-with-plugins/config/rbac/busybox_editor_role.yaml index cce1597dd9b..fd0ccc919f8 100644 --- a/testdata/project-v4-with-plugins/config/rbac/busybox_editor_role.yaml +++ b/testdata/project-v4-with-plugins/config/rbac/busybox_editor_role.yaml @@ -1,4 +1,10 @@ -# permissions for end users to edit busyboxes. +# This rule is not used by the project project-v4-with-plugins itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants permissions to create, update, and delete resources within the example.com.testproject.org. +# This role is intended for users who need to manage these resources +# but should not control RBAC or manage permissions for others. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/testdata/project-v4-with-plugins/config/rbac/busybox_viewer_role.yaml b/testdata/project-v4-with-plugins/config/rbac/busybox_viewer_role.yaml index 9ff4ba57069..a6fca84da1c 100644 --- a/testdata/project-v4-with-plugins/config/rbac/busybox_viewer_role.yaml +++ b/testdata/project-v4-with-plugins/config/rbac/busybox_viewer_role.yaml @@ -1,4 +1,10 @@ -# permissions for end users to view busyboxes. +# This rule is not used by the project project-v4-with-plugins itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants read-only access to example.com.testproject.org resources. +# This role is intended for users who need visibility into these resources +# without permissions to modify them. It is ideal for monitoring purposes and limited-access viewing. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/testdata/project-v4-with-plugins/config/rbac/kustomization.yaml b/testdata/project-v4-with-plugins/config/rbac/kustomization.yaml index db14c45b3f7..c4309d1a86b 100644 --- a/testdata/project-v4-with-plugins/config/rbac/kustomization.yaml +++ b/testdata/project-v4-with-plugins/config/rbac/kustomization.yaml @@ -18,14 +18,17 @@ resources: - metrics_auth_role.yaml - metrics_auth_role_binding.yaml - metrics_reader_role.yaml -# For each CRD, "Editor" and "Viewer" roles are scaffolded by +# For each CRD, "Admin", "Editor" and "Viewer" roles are scaffolded by # default, aiding admins in cluster management. Those roles are -# not used by the Project itself. You can comment the following lines +# not used by the {{ .ProjectName }} itself. You can comment the following lines # if you do not want those helpers be installed with your Project. +- wordpress_admin_role.yaml - wordpress_editor_role.yaml - wordpress_viewer_role.yaml +- busybox_admin_role.yaml - busybox_editor_role.yaml - busybox_viewer_role.yaml +- memcached_admin_role.yaml - memcached_editor_role.yaml - memcached_viewer_role.yaml diff --git a/testdata/project-v4-with-plugins/config/rbac/memcached_admin_role.yaml b/testdata/project-v4-with-plugins/config/rbac/memcached_admin_role.yaml new file mode 100644 index 00000000000..43ec92e6219 --- /dev/null +++ b/testdata/project-v4-with-plugins/config/rbac/memcached_admin_role.yaml @@ -0,0 +1,27 @@ +# This rule is not used by the project project-v4-with-plugins itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants full permissions ('*') over example.com.testproject.org. +# This role is intended for users authorized to modify roles and bindings within the cluster, +# enabling them to delegate specific permissions to other users or groups as needed. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: project-v4-with-plugins + app.kubernetes.io/managed-by: kustomize + name: memcached-admin-role +rules: +- apiGroups: + - example.com.testproject.org + resources: + - memcacheds + verbs: + - '*' +- apiGroups: + - example.com.testproject.org + resources: + - memcacheds/status + verbs: + - get diff --git a/testdata/project-v4-with-plugins/config/rbac/memcached_editor_role.yaml b/testdata/project-v4-with-plugins/config/rbac/memcached_editor_role.yaml index 37feccf6a64..0c6d0e41d95 100644 --- a/testdata/project-v4-with-plugins/config/rbac/memcached_editor_role.yaml +++ b/testdata/project-v4-with-plugins/config/rbac/memcached_editor_role.yaml @@ -1,4 +1,10 @@ -# permissions for end users to edit memcacheds. +# This rule is not used by the project project-v4-with-plugins itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants permissions to create, update, and delete resources within the example.com.testproject.org. +# This role is intended for users who need to manage these resources +# but should not control RBAC or manage permissions for others. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/testdata/project-v4-with-plugins/config/rbac/memcached_viewer_role.yaml b/testdata/project-v4-with-plugins/config/rbac/memcached_viewer_role.yaml index 655f7986162..551375675ae 100644 --- a/testdata/project-v4-with-plugins/config/rbac/memcached_viewer_role.yaml +++ b/testdata/project-v4-with-plugins/config/rbac/memcached_viewer_role.yaml @@ -1,4 +1,10 @@ -# permissions for end users to view memcacheds. +# This rule is not used by the project project-v4-with-plugins itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants read-only access to example.com.testproject.org resources. +# This role is intended for users who need visibility into these resources +# without permissions to modify them. It is ideal for monitoring purposes and limited-access viewing. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/testdata/project-v4-with-plugins/config/rbac/wordpress_admin_role.yaml b/testdata/project-v4-with-plugins/config/rbac/wordpress_admin_role.yaml new file mode 100644 index 00000000000..b8dd02ea2b4 --- /dev/null +++ b/testdata/project-v4-with-plugins/config/rbac/wordpress_admin_role.yaml @@ -0,0 +1,27 @@ +# This rule is not used by the project project-v4-with-plugins itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants full permissions ('*') over example.com.testproject.org. +# This role is intended for users authorized to modify roles and bindings within the cluster, +# enabling them to delegate specific permissions to other users or groups as needed. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: project-v4-with-plugins + app.kubernetes.io/managed-by: kustomize + name: wordpress-admin-role +rules: +- apiGroups: + - example.com.testproject.org + resources: + - wordpresses + verbs: + - '*' +- apiGroups: + - example.com.testproject.org + resources: + - wordpresses/status + verbs: + - get diff --git a/testdata/project-v4-with-plugins/config/rbac/wordpress_editor_role.yaml b/testdata/project-v4-with-plugins/config/rbac/wordpress_editor_role.yaml index 8054f6a57d8..7b8c2be3568 100644 --- a/testdata/project-v4-with-plugins/config/rbac/wordpress_editor_role.yaml +++ b/testdata/project-v4-with-plugins/config/rbac/wordpress_editor_role.yaml @@ -1,4 +1,10 @@ -# permissions for end users to edit wordpresses. +# This rule is not used by the project project-v4-with-plugins itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants permissions to create, update, and delete resources within the example.com.testproject.org. +# This role is intended for users who need to manage these resources +# but should not control RBAC or manage permissions for others. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/testdata/project-v4-with-plugins/config/rbac/wordpress_viewer_role.yaml b/testdata/project-v4-with-plugins/config/rbac/wordpress_viewer_role.yaml index deca0bd8593..8b2acc33432 100644 --- a/testdata/project-v4-with-plugins/config/rbac/wordpress_viewer_role.yaml +++ b/testdata/project-v4-with-plugins/config/rbac/wordpress_viewer_role.yaml @@ -1,4 +1,10 @@ -# permissions for end users to view wordpresses. +# This rule is not used by the project project-v4-with-plugins itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants read-only access to example.com.testproject.org resources. +# This role is intended for users who need visibility into these resources +# without permissions to modify them. It is ideal for monitoring purposes and limited-access viewing. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/testdata/project-v4-with-plugins/dist/install.yaml b/testdata/project-v4-with-plugins/dist/install.yaml index 8dbf5ac23bf..8803932b4a6 100644 --- a/testdata/project-v4-with-plugins/dist/install.yaml +++ b/testdata/project-v4-with-plugins/dist/install.yaml @@ -398,6 +398,27 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: project-v4-with-plugins + name: project-v4-with-plugins-busybox-admin-role +rules: +- apiGroups: + - example.com.testproject.org + resources: + - busyboxes + verbs: + - '*' +- apiGroups: + - example.com.testproject.org + resources: + - busyboxes/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: labels: app.kubernetes.io/managed-by: kustomize @@ -513,6 +534,27 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: project-v4-with-plugins + name: project-v4-with-plugins-memcached-admin-role +rules: +- apiGroups: + - example.com.testproject.org + resources: + - memcacheds + verbs: + - '*' +- apiGroups: + - example.com.testproject.org + resources: + - memcacheds/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: labels: app.kubernetes.io/managed-by: kustomize @@ -591,6 +633,27 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: project-v4-with-plugins + name: project-v4-with-plugins-wordpress-admin-role +rules: +- apiGroups: + - example.com.testproject.org + resources: + - wordpresses + verbs: + - '*' +- apiGroups: + - example.com.testproject.org + resources: + - wordpresses/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: labels: app.kubernetes.io/managed-by: kustomize diff --git a/testdata/project-v4/config/rbac/admiral_admin_role.yaml b/testdata/project-v4/config/rbac/admiral_admin_role.yaml new file mode 100644 index 00000000000..07e60c1b1cb --- /dev/null +++ b/testdata/project-v4/config/rbac/admiral_admin_role.yaml @@ -0,0 +1,27 @@ +# This rule is not used by the project project-v4 itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants full permissions ('*') over crew.testproject.org. +# This role is intended for users authorized to modify roles and bindings within the cluster, +# enabling them to delegate specific permissions to other users or groups as needed. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: project-v4 + app.kubernetes.io/managed-by: kustomize + name: admiral-admin-role +rules: +- apiGroups: + - crew.testproject.org + resources: + - admirales + verbs: + - '*' +- apiGroups: + - crew.testproject.org + resources: + - admirales/status + verbs: + - get diff --git a/testdata/project-v4/config/rbac/admiral_editor_role.yaml b/testdata/project-v4/config/rbac/admiral_editor_role.yaml index ab77210de89..b4fd7579b3d 100644 --- a/testdata/project-v4/config/rbac/admiral_editor_role.yaml +++ b/testdata/project-v4/config/rbac/admiral_editor_role.yaml @@ -1,4 +1,10 @@ -# permissions for end users to edit admirales. +# This rule is not used by the project project-v4 itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants permissions to create, update, and delete resources within the crew.testproject.org. +# This role is intended for users who need to manage these resources +# but should not control RBAC or manage permissions for others. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/testdata/project-v4/config/rbac/admiral_viewer_role.yaml b/testdata/project-v4/config/rbac/admiral_viewer_role.yaml index cc0da99283e..dd23b9ef5d6 100644 --- a/testdata/project-v4/config/rbac/admiral_viewer_role.yaml +++ b/testdata/project-v4/config/rbac/admiral_viewer_role.yaml @@ -1,4 +1,10 @@ -# permissions for end users to view admirales. +# This rule is not used by the project project-v4 itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants read-only access to crew.testproject.org resources. +# This role is intended for users who need visibility into these resources +# without permissions to modify them. It is ideal for monitoring purposes and limited-access viewing. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/testdata/project-v4/config/rbac/captain_admin_role.yaml b/testdata/project-v4/config/rbac/captain_admin_role.yaml new file mode 100644 index 00000000000..01bc6862fac --- /dev/null +++ b/testdata/project-v4/config/rbac/captain_admin_role.yaml @@ -0,0 +1,27 @@ +# This rule is not used by the project project-v4 itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants full permissions ('*') over crew.testproject.org. +# This role is intended for users authorized to modify roles and bindings within the cluster, +# enabling them to delegate specific permissions to other users or groups as needed. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: project-v4 + app.kubernetes.io/managed-by: kustomize + name: captain-admin-role +rules: +- apiGroups: + - crew.testproject.org + resources: + - captains + verbs: + - '*' +- apiGroups: + - crew.testproject.org + resources: + - captains/status + verbs: + - get diff --git a/testdata/project-v4/config/rbac/captain_editor_role.yaml b/testdata/project-v4/config/rbac/captain_editor_role.yaml index dcb399027ca..e66a49bbdba 100644 --- a/testdata/project-v4/config/rbac/captain_editor_role.yaml +++ b/testdata/project-v4/config/rbac/captain_editor_role.yaml @@ -1,4 +1,10 @@ -# permissions for end users to edit captains. +# This rule is not used by the project project-v4 itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants permissions to create, update, and delete resources within the crew.testproject.org. +# This role is intended for users who need to manage these resources +# but should not control RBAC or manage permissions for others. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/testdata/project-v4/config/rbac/captain_viewer_role.yaml b/testdata/project-v4/config/rbac/captain_viewer_role.yaml index 6be9174d58c..56044b9615f 100644 --- a/testdata/project-v4/config/rbac/captain_viewer_role.yaml +++ b/testdata/project-v4/config/rbac/captain_viewer_role.yaml @@ -1,4 +1,10 @@ -# permissions for end users to view captains. +# This rule is not used by the project project-v4 itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants read-only access to crew.testproject.org resources. +# This role is intended for users who need visibility into these resources +# without permissions to modify them. It is ideal for monitoring purposes and limited-access viewing. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/testdata/project-v4/config/rbac/firstmate_admin_role.yaml b/testdata/project-v4/config/rbac/firstmate_admin_role.yaml new file mode 100644 index 00000000000..bf0dcb7aec7 --- /dev/null +++ b/testdata/project-v4/config/rbac/firstmate_admin_role.yaml @@ -0,0 +1,27 @@ +# This rule is not used by the project project-v4 itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants full permissions ('*') over crew.testproject.org. +# This role is intended for users authorized to modify roles and bindings within the cluster, +# enabling them to delegate specific permissions to other users or groups as needed. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: project-v4 + app.kubernetes.io/managed-by: kustomize + name: firstmate-admin-role +rules: +- apiGroups: + - crew.testproject.org + resources: + - firstmates + verbs: + - '*' +- apiGroups: + - crew.testproject.org + resources: + - firstmates/status + verbs: + - get diff --git a/testdata/project-v4/config/rbac/firstmate_editor_role.yaml b/testdata/project-v4/config/rbac/firstmate_editor_role.yaml index 4e39922e64a..fc488edd93a 100644 --- a/testdata/project-v4/config/rbac/firstmate_editor_role.yaml +++ b/testdata/project-v4/config/rbac/firstmate_editor_role.yaml @@ -1,4 +1,10 @@ -# permissions for end users to edit firstmates. +# This rule is not used by the project project-v4 itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants permissions to create, update, and delete resources within the crew.testproject.org. +# This role is intended for users who need to manage these resources +# but should not control RBAC or manage permissions for others. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/testdata/project-v4/config/rbac/firstmate_viewer_role.yaml b/testdata/project-v4/config/rbac/firstmate_viewer_role.yaml index c17cd0a5237..0366dd81028 100644 --- a/testdata/project-v4/config/rbac/firstmate_viewer_role.yaml +++ b/testdata/project-v4/config/rbac/firstmate_viewer_role.yaml @@ -1,4 +1,10 @@ -# permissions for end users to view firstmates. +# This rule is not used by the project project-v4 itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants read-only access to crew.testproject.org resources. +# This role is intended for users who need visibility into these resources +# without permissions to modify them. It is ideal for monitoring purposes and limited-access viewing. + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/testdata/project-v4/config/rbac/kustomization.yaml b/testdata/project-v4/config/rbac/kustomization.yaml index b6ac31fc556..ee1ae3d578e 100644 --- a/testdata/project-v4/config/rbac/kustomization.yaml +++ b/testdata/project-v4/config/rbac/kustomization.yaml @@ -18,14 +18,17 @@ resources: - metrics_auth_role.yaml - metrics_auth_role_binding.yaml - metrics_reader_role.yaml -# For each CRD, "Editor" and "Viewer" roles are scaffolded by +# For each CRD, "Admin", "Editor" and "Viewer" roles are scaffolded by # default, aiding admins in cluster management. Those roles are -# not used by the Project itself. You can comment the following lines +# not used by the {{ .ProjectName }} itself. You can comment the following lines # if you do not want those helpers be installed with your Project. +- admiral_admin_role.yaml - admiral_editor_role.yaml - admiral_viewer_role.yaml +- firstmate_admin_role.yaml - firstmate_editor_role.yaml - firstmate_viewer_role.yaml +- captain_admin_role.yaml - captain_editor_role.yaml - captain_viewer_role.yaml diff --git a/testdata/project-v4/dist/install.yaml b/testdata/project-v4/dist/install.yaml index 984b71745c5..64689773b44 100644 --- a/testdata/project-v4/dist/install.yaml +++ b/testdata/project-v4/dist/install.yaml @@ -269,6 +269,27 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: project-v4 + name: project-v4-admiral-admin-role +rules: +- apiGroups: + - crew.testproject.org + resources: + - admirales + verbs: + - '*' +- apiGroups: + - crew.testproject.org + resources: + - admirales/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: labels: app.kubernetes.io/managed-by: kustomize @@ -319,6 +340,27 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: project-v4 + name: project-v4-captain-admin-role +rules: +- apiGroups: + - crew.testproject.org + resources: + - captains + verbs: + - '*' +- apiGroups: + - crew.testproject.org + resources: + - captains/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: labels: app.kubernetes.io/managed-by: kustomize @@ -369,6 +411,27 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole +metadata: + labels: + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/name: project-v4 + name: project-v4-firstmate-admin-role +rules: +- apiGroups: + - crew.testproject.org + resources: + - firstmates + verbs: + - '*' +- apiGroups: + - crew.testproject.org + resources: + - firstmates/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: labels: app.kubernetes.io/managed-by: kustomize