Add metadata flags for name, namespace and annotations
paulbarfuss opened this issue · comments
What would you like to be added:
Add flags to customize:
- Metadata.Name
- Metadata.Namespace
- Metadata.Annotations
Why is this needed:
For the rbac-tool gen
and rbac-tool show
commands it would be useful for automation to be able to customize the object metadata during role generation.
For example:
# Generate a ClusterRole with all the available permissions for core and apps api groups
rbac-tool show \
--for-groups=,apps \
--scope namespace \
--name foo \
--namespace bar \
--annotations argocd.argoproj.io/sync-wave=2,rbac.authorization.kubernetes.io/autoupdate=true
With these flags it would be possible to generate fully functional roles without having to make modifications to the YAML after running the tool.
@paulbarfuss - HNY and thanks for the above - few questions/comments:
-
gen
command was intended to be used in automation pipeline and the proposed changes looks fine. I would just keep the existing values (for name and namespace) as the default for the cli options you've added. -
show
originally intended to be something that help a user to better understand the overall cluster permissions and the underlying aspects (verbs, kind, resources, ...) of those permissions. How do you see show command used in a automations workflow?
HNY to you as well @gadinaor
Thank you for having a look! I am going to remove the merge logic on the show command as that should be a separate GH issue and may circle back to that at a later date.
The short answer is that I was looking for a way to manage RBAC like rbac-tool gen
that includes the ability to fine tune access to subresources.
I will update the name/namespace to match the existing values as well on the open PR as there is some good value in those changes, as long as they don't modify existing behavior with the default values.
Hi @paulbarfuss
Dud you have a chance to look into it and update the code?
Hi @gadinaor
I have updated the PR to better maintain the original intent and functionality of the gen
and show
commands.
The original thought around using show
to generate RBAC is to leverage the generateRulesWithSubResources
function in case a user wanted to define sub-resources. I dropped that added function from the new PR and only included the metadata flags as this would be very useful without introducing any breaking changes, or changing the current default values.
Available in v1.18.0