feat: Role, ClusterRole, RoleBinding, ClusterRoleBinding L2s (#432)
#686
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…432) Fixes #24 Fixes #25 Fixes #26 Fixes #374 Adds Role and ClusterRole L2s with "allowXxx" methods that resemble those available in the AWS CDK. This allows you to write code like: ```ts import * as kplus from 'cdk8s-plus-23'; declare const deployment: kplus.Deployment; const role = new kplus.ClusterRole(chart, 'my-cluster-role'); role.allowRead(deployment, kplus.ApiResource.SECRETS, kplus.ApiResource.PODS); ``` ...where the "read" syntactic sugar grants permissions to the "get", "list", and "watch" commands. There are other allow commands available that offer more granularity if needed. RoleBinding and ClusterRoleBinding L2s have also been created, and they can be instantiated through their constructors, or created using the appropriate bind methods that will attach it to the role automatically: ```ts declare const role: kplus.Role; declare const clusterRole: kplus.ClusterRole; const user = new kplus.User({ name: 'alice@example.com' }); const group = new kplus.Group({ name: 'frontend-devs' }); role.bind(user, group); // creates a RoleBinding associated with the same namespace `role` was defined with clusterRole.bindInNamespace('development', user, group); // creates a RoleBinding associated with namespace "development" clusterRole.bind(user, group); // creates a ClusterRoleBinding, not associated with any namespace ``` Future work: - Add full `pod.grantRead(role)` and `Resources.fromTypes(ApiResource.POD).grantRead(role)` style APIs - Add type checking or validation to prevent adding namespaced resources to ClusterRole or cluster-wide resources to Role's etc. - Add more constants to `ApiResource` for granting permissions to [subresources](https://stackoverflow.com/questions/57872201/how-to-refer-to-all-subresources-in-a-role-definition) - Add convenience APIs for adding permissions to the [default roles](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#default-roles-and-role-bindings) using `aggregate-to-<default-role>` tags BREAKING CHANGE: The interface `Resources` is now named `ContainerResources`. Signed-off-by: Christopher Rybicki <rybickic@amazon.com> (cherry picked from commit aeaba6e) Signed-off-by: Eli Polonsky <epolon@amazon.com> # Conflicts: # .projen/tasks.json # .projenrc.ts # package.json # src/ingress-v1beta1.ts
⚪ Backport skippedThe pull request was not backported as there were no branches to backport to. If this is a mistake, please apply the desired version labels or run the backport tool manually. Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport
This will backport the following commits from
k8s-22/maintok8s-20/main:Role,ClusterRole,RoleBinding,ClusterRoleBindingL2s (#432)Questions ?
Please refer to the Backport tool documentation