Add metadata flags for name, namespace and annotations

Question

Add metadata flags for name, namespace and annotations

paulbarfuss opened this issue 8 months ago · comments

Paul Barfuss commented 8 months ago

What would you like to be added:

Add flags to customize:

Metadata.Name
Metadata.Namespace
Metadata.Annotations

Why is this needed:

For the rbac-tool gen and rbac-tool show commands it would be useful for automation to be able to customize the object metadata during role generation.

For example:

# Generate a ClusterRole with all the available permissions for core and apps api groups
rbac-tool show \
  --for-groups=,apps \
  --scope namespace \
  --name foo \
  --namespace bar \
  --annotations argocd.argoproj.io/sync-wave=2,rbac.authorization.kubernetes.io/autoupdate=true

With these flags it would be possible to generate fully functional roles without having to make modifications to the YAML after running the tool.

Gadi Naor · Answer 1 · Tue Jan 02 2024 05:39:05 GMT+0800 (China Standard Time)

@paulbarfuss - HNY and thanks for the above - few questions/comments:

gen command was intended to be used in automation pipeline and the proposed changes looks fine. I would just keep the existing values (for name and namespace) as the default for the cli options you've added.
show originally intended to be something that help a user to better understand the overall cluster permissions and the underlying aspects (verbs, kind, resources, ...) of those permissions. How do you see show command used in a automations workflow?

Paul Barfuss · Answer 2 · Wed Jan 10 2024 20:10:02 GMT+0800 (China Standard Time)

HNY to you as well @gadinaor

Thank you for having a look! I am going to remove the merge logic on the show command as that should be a separate GH issue and may circle back to that at a later date.

The short answer is that I was looking for a way to manage RBAC like rbac-tool gen that includes the ability to fine tune access to subresources.

I will update the name/namespace to match the existing values as well on the open PR as there is some good value in those changes, as long as they don't modify existing behavior with the default values.

diesello · Answer 3 · Thu Jan 18 2024 17:09:10 GMT+0800 (China Standard Time)

Hi @paulbarfuss

Dud you have a chance to look into it and update the code?

Paul Barfuss · Answer 4 · Thu Feb 29 2024 03:50:49 GMT+0800 (China Standard Time)

Hi @gadinaor

I have updated the PR to better maintain the original intent and functionality of the gen and show commands.

The original thought around using show to generate RBAC is to leverage the generateRulesWithSubResources function in case a user wanted to define sub-resources. I dropped that added function from the new PR and only included the metadata flags as this would be very useful without introducing any breaking changes, or changing the current default values.

gadinaor-r7 · Answer 5 · Mon May 06 2024 18:23:38 GMT+0800 (China Standard Time)

Available in v1.18.0