Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add user RBAC to default config #25

Merged
merged 2 commits into from
Jan 31, 2022
Merged

Add user RBAC to default config #25

merged 2 commits into from
Jan 31, 2022

Conversation

glrf
Copy link
Contributor

@glrf glrf commented Jan 28, 2022
edited
Loading

Summary

With this PR for the local environment we

  • Allow any authenticated user to view Zones and create organizations as well es manage created organizations
  • Switch to preferred_username claim from the email

Checklist

  • PR contains a single logical change (to build a better changelog).
  • Categorize the PR by setting a good title and adding one of the labels:
    bug, enhancement, documentation, change, breaking, dependency
    as they show up in the changelog.

@glrf glrf added the change label Jan 28, 2022
@glrf glrf self-assigned this Jan 28, 2022
@glrf glrf requested a review from ccremer January 28, 2022 15:52
ccremer
ccremer approved these changes Jan 28, 2022
View reviewed changes
config/user-rbac/basic-user-role.yml
Comment on lines +12 to +14
- apiGroups: ["appuio.io"]
resources: ["zones"]
verbs: ["get", "watch", "list"]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we can generate the roles via kubebuilder?
e.g. https://github.com/k8up-io/k8up/blob/7e06b6cdc987c76a5c39755a8b831947869a2ca4/controllers/schedule_controller.go#L28
and maybe even consolidate to default view role? https://github.com/k8up-io/k8up/blob/7e06b6cdc987c76a5c39755a8b831947869a2ca4/config/rbac/consolidated_viewer_role.yaml#L8

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Aggregating to view might be a good idea. I'll try that!

I personally wouldn't use kubebuilder for that as it's not a role for the controller.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wait no. We don't actually want to give users the view role 😅 They shouldn't be able to see other resources such as namespaces or pods

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah, right :)

@glrf glrf merged commit 86b152d into master Jan 31, 2022
@glrf glrf deleted the feat/user-rbac branch January 31, 2022 08:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ccremer ccremer ccremer approved these changes

Assignees

@glrf glrf

Labels
change
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@glrf @ccremer