feat(RBAC): Role Aggregation

Signed-off-by: Arthur <[email protected]>
dragonflydb · Jan 18, 2025 · eaf4601 · eaf4601
1 parent 7d94acf
commit eaf4601
Show file tree

Hide file tree

Showing 5 changed files with 72 additions and 1 deletion.
diff --git a/charts/dragonfly-operator/templates/roles.yaml b/charts/dragonfly-operator/templates/roles.yaml
@@ -39,4 +39,65 @@ rules:
     verbs:
       - create
       - patch
-
+---
+# permissions for end users to view dragonflies.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "dragonfly-operator.fullname" . }}-viewer-role
+  labels:
+    {{- include "dragonfly-operator.labels" . | nindent 4 }}
+    app.kubernetes.io/component: rbac
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+    rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
+  namespace: {{ .Release.Namespace | quote }}
+rules:
+- apiGroups:
+  - dragonflydb.io
+  resources:
+  - dragonflies
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - dragonflydb.io
+  resources:
+  - dragonflies/status
+  verbs:
+  - get
+{{- if .Values.writeAggregateRoles.install }}
+---
+# permissions for end users to edit dragonflies.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "dragonfly-operator.fullname" . }}-editor-role
+  labels:
+    {{- include "dragonfly-operator.labels" . | nindent 4 }}
+    app.kubernetes.io/component: rbac
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+  namespace: {{ .Release.Namespace | quote }}
+rules:
+- apiGroups:
+  - dragonflydb.io
+  resources:
+  - dragonflies
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - dragonflydb.io
+  resources:
+  - dragonflies/status
+  verbs:
+  - get
+{{- end }}
diff --git a/charts/dragonfly-operator/values.yaml b/charts/dragonfly-operator/values.yaml
@@ -43,6 +43,8 @@ service:
 
 terminationGracePeriodSeconds: 10
 
+writeAggregateRoles: false
+
 rbacProxy:
   image:
     repository: gcr.io/kubebuilder/kube-rbac-proxy

diff --git a/config/rbac/dragonfly_editor_role.yaml b/config/rbac/dragonfly_editor_role.yaml
@@ -9,6 +9,8 @@ metadata:
     app.kubernetes.io/created-by: dragonfly-operator
     app.kubernetes.io/part-of: dragonfly-operator
     app.kubernetes.io/managed-by: kustomize
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
   name: dragonfly-editor-role
 rules:
 - apiGroups:

diff --git a/config/rbac/dragonfly_viewer_role.yaml b/config/rbac/dragonfly_viewer_role.yaml
@@ -9,6 +9,10 @@ metadata:
     app.kubernetes.io/created-by: dragonfly-operator
     app.kubernetes.io/part-of: dragonfly-operator
     app.kubernetes.io/managed-by: kustomize
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+    rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
   name: dragonfly-viewer-role
 rules:
 - apiGroups:

diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml
@@ -16,3 +16,5 @@ resources:
 - auth_proxy_role.yaml
 - auth_proxy_role_binding.yaml
 - auth_proxy_client_clusterrole.yaml
+- dragonfly_viewer_role.yaml
+# - dragonfly_editor_role.yaml