Skip to content

Latest commit

 

History

History
203 lines (174 loc) · 5.37 KB

addruletorole.md

File metadata and controls

203 lines (174 loc) · 5.37 KB

Add RBAC rules

org.openrewrite.kubernetes.rbac.AddRuleToRole

Add RBAC rules to ClusterRoles or namespaced Roles.

Source

GitHub, Issue Tracker, Maven Central

  • groupId: org.openrewrite.recipe
  • artifactId: rewrite-kubernetes
  • version: 2.0.1

Options

Type Name Description
String rbacResourceType Type of RBAC resource to which this recipe adds a rule.
String rbacResourceName Glob pattern of the name of the RBAC resource to which this recipe adds a rule.
Set apiGroups Comma-separated list of API groups to which this rule refers.
Set resources Comma-separated list of Kubernetes resource types to which this rule refers.
Set resourceNames Optional. Comma-separated list of names of Kubernetes resources to which this rule applies.
Set verbs The API verbs to enable with this rule.
String fileMatcher Optional. Matching files will be modified. This is a glob expression.

Example

Parameters
Parameter Value
rbacResourceType ClusterRole
rbacResourceName cluster-role
apiGroups Set.of("")
resources Set.of("pods")
resourceNames null
verbs Set.of("update")
fileMatcher null

{% tabs %} {% tab title="yaml" %}

Before

{% code %}

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: namespaced-role
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-role
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["list"]

{% endcode %}

After

{% code %}

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: namespaced-role
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-role
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["list"]
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["update"]

{% endcode %}

{% endtab %} {% tab title="Diff" %} {% code %}

@@ -19,0 +19,3 @@
  resources: ["pods"]
  verbs: ["list"]
+- apiGroups: [""]
+ resources: ["pods"]
+ verbs: ["update"]

{% endcode %} {% endtab %} {% endtabs %}

Usage

This recipe has required configuration parameters. Recipes with required configuration parameters cannot be activated directly. To activate this recipe you must create a new recipe which fills in the required parameters. In your rewrite.yml create a new recipe with a unique name. For example: com.yourorg.AddRuleToRoleExample. Here's how you can define and customize such a recipe within your rewrite.yml:

{% code title="rewrite.yml" %}

---
type: specs.openrewrite.org/v1beta/recipe
name: com.yourorg.AddRuleToRoleExample
displayName: Add RBAC rules example
recipeList:
  - org.openrewrite.kubernetes.rbac.AddRuleToRole:
      rbacResourceType: ClusterRole
      rbacResourceName: my-cluster-role
      apiGroups: ,v1
      resources: pods
      resourceNames: my-pod
      verbs: get,list
      fileMatcher: '**/pod-*.yml'

{% endcode %}

Now that com.yourorg.AddRuleToRoleExample has been defined activate it and take a dependency on org.openrewrite.recipe:rewrite-kubernetes:2.0.1 in your build file: {% tabs %} {% tab title="Gradle" %} {% code title="build.gradle" %}

plugins {
    id("org.openrewrite.rewrite") version("6.1.4")
}

rewrite {
    activeRecipe("com.yourorg.AddRuleToRoleExample")
}

repositories {
    mavenCentral()
}

dependencies {
    rewrite("org.openrewrite.recipe:rewrite-kubernetes:2.0.1")
}

{% endcode %} {% endtab %} {% tab title="Maven" %} {% code title="pom.xml" %}

<project>
  <build>
    <plugins>
      <plugin>
        <groupId>org.openrewrite.maven</groupId>
        <artifactId>rewrite-maven-plugin</artifactId>
        <version>5.2.4</version>
        <configuration>
          <activeRecipes>
            <recipe>com.yourorg.AddRuleToRoleExample</recipe>
          </activeRecipes>
        </configuration>
        <dependencies>
          <dependency>
            <groupId>org.openrewrite.recipe</groupId>
            <artifactId>rewrite-kubernetes</artifactId>
            <version>2.0.1</version>
          </dependency>
        </dependencies>
      </plugin>
    </plugins>
  </build>
</project>

{% endcode %} {% endtab %} {% endtabs %}

Contributors

See how this recipe works across multiple open-source repositories

Moderne Link Image

The community edition of the Moderne platform enables you to easily run recipes across thousands of open-source repositories.

Please contact Moderne for more information about safely running the recipes on your own codebase in a private SaaS.