From 9f5f8f355a9abb3c8716b7e03b6fcdd5aeba31e3 Mon Sep 17 00:00:00 2001 From: Lars Kellogg-Stedman Date: Tue, 22 Oct 2024 11:04:39 -0400 Subject: [PATCH] Extend project-robbie RBAC across all project-robbie projects Configure consistent RBAC in all project-robbie namespaces: - project-robbie-6f75ac - project-robbie-8dd79e - project-robbie-b4784c These changes included custom configuration for the Kustomize namespace transformer so that it will update the namespace for all subjects listed in the RoleBindings. See [1] for an example configuration, and [2] for what passes for documentation. [1]: https://github.com/kubernetes-sigs/kustomize/issues/629#issuecomment-1219337039 [2]: https://github.com/kubernetes-sigs/kustomize/pull/4704 --- .../rolebindings/kustomization.yaml | 2 ++ .../project-robbie-6f75ac/kustomization.yaml | 16 ++++++++++++++++ .../project-robbie-allow-sys-admin.yaml | 11 +++++++++++ .../project-robbie-8dd79e/kustomization.yaml | 16 ++++++++++++++++ .../project-robbie-allow-sys-admin.yaml | 11 +++++++++++ .../project-robbie-b4784c/kustomization.yaml | 13 ++++++++++++- .../project-robbie-allow-sys-admin.yaml | 1 - 7 files changed, 68 insertions(+), 2 deletions(-) create mode 100644 cluster-scope/overlays/nerc-ocp-prod/rolebindings/project-robbie-6f75ac/kustomization.yaml create mode 100644 cluster-scope/overlays/nerc-ocp-prod/rolebindings/project-robbie-6f75ac/project-robbie-allow-sys-admin.yaml create mode 100644 cluster-scope/overlays/nerc-ocp-prod/rolebindings/project-robbie-8dd79e/kustomization.yaml create mode 100644 cluster-scope/overlays/nerc-ocp-prod/rolebindings/project-robbie-8dd79e/project-robbie-allow-sys-admin.yaml diff --git a/cluster-scope/overlays/nerc-ocp-prod/rolebindings/kustomization.yaml b/cluster-scope/overlays/nerc-ocp-prod/rolebindings/kustomization.yaml index 061ef791..f7817294 100644 --- a/cluster-scope/overlays/nerc-ocp-prod/rolebindings/kustomization.yaml +++ b/cluster-scope/overlays/nerc-ocp-prod/rolebindings/kustomization.yaml @@ -1,4 +1,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: +- project-robbie-6f75ac +- project-robbie-8dd79e - project-robbie-b4784c diff --git a/cluster-scope/overlays/nerc-ocp-prod/rolebindings/project-robbie-6f75ac/kustomization.yaml b/cluster-scope/overlays/nerc-ocp-prod/rolebindings/project-robbie-6f75ac/kustomization.yaml new file mode 100644 index 00000000..0f3991dc --- /dev/null +++ b/cluster-scope/overlays/nerc-ocp-prod/rolebindings/project-robbie-6f75ac/kustomization.yaml @@ -0,0 +1,16 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- project-robbie-allow-sys-admin.yaml + +transformers: +- |- + apiVersion: builtin + kind: NamespaceTransformer + metadata: + name: notImportantHere + namespace: project-robbie-6f75ac + setRoleBindingSubjects: allServiceAccounts + fieldSpecs: + - path: metadata/namespace + create: true diff --git a/cluster-scope/overlays/nerc-ocp-prod/rolebindings/project-robbie-6f75ac/project-robbie-allow-sys-admin.yaml b/cluster-scope/overlays/nerc-ocp-prod/rolebindings/project-robbie-6f75ac/project-robbie-allow-sys-admin.yaml new file mode 100644 index 00000000..97a2030f --- /dev/null +++ b/cluster-scope/overlays/nerc-ocp-prod/rolebindings/project-robbie-6f75ac/project-robbie-allow-sys-admin.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: project-robbie-allow-sys-admin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: nerc-allow-sys-admin +subjects: +- kind: ServiceAccount + name: robbie-job-runner diff --git a/cluster-scope/overlays/nerc-ocp-prod/rolebindings/project-robbie-8dd79e/kustomization.yaml b/cluster-scope/overlays/nerc-ocp-prod/rolebindings/project-robbie-8dd79e/kustomization.yaml new file mode 100644 index 00000000..f70cb6f2 --- /dev/null +++ b/cluster-scope/overlays/nerc-ocp-prod/rolebindings/project-robbie-8dd79e/kustomization.yaml @@ -0,0 +1,16 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- project-robbie-allow-sys-admin.yaml + +transformers: +- |- + apiVersion: builtin + kind: NamespaceTransformer + metadata: + name: notImportantHere + namespace: project-robbie-8dd79e + setRoleBindingSubjects: allServiceAccounts + fieldSpecs: + - path: metadata/namespace + create: true diff --git a/cluster-scope/overlays/nerc-ocp-prod/rolebindings/project-robbie-8dd79e/project-robbie-allow-sys-admin.yaml b/cluster-scope/overlays/nerc-ocp-prod/rolebindings/project-robbie-8dd79e/project-robbie-allow-sys-admin.yaml new file mode 100644 index 00000000..97a2030f --- /dev/null +++ b/cluster-scope/overlays/nerc-ocp-prod/rolebindings/project-robbie-8dd79e/project-robbie-allow-sys-admin.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: project-robbie-allow-sys-admin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: nerc-allow-sys-admin +subjects: +- kind: ServiceAccount + name: robbie-job-runner diff --git a/cluster-scope/overlays/nerc-ocp-prod/rolebindings/project-robbie-b4784c/kustomization.yaml b/cluster-scope/overlays/nerc-ocp-prod/rolebindings/project-robbie-b4784c/kustomization.yaml index 54a4247f..afca9c38 100644 --- a/cluster-scope/overlays/nerc-ocp-prod/rolebindings/project-robbie-b4784c/kustomization.yaml +++ b/cluster-scope/overlays/nerc-ocp-prod/rolebindings/project-robbie-b4784c/kustomization.yaml @@ -1,5 +1,16 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: project-robbie-b4784c resources: - project-robbie-allow-sys-admin.yaml + +transformers: +- |- + apiVersion: builtin + kind: NamespaceTransformer + metadata: + name: notImportantHere + namespace: project-robbie-b4784c + setRoleBindingSubjects: allServiceAccounts + fieldSpecs: + - path: metadata/namespace + create: true diff --git a/cluster-scope/overlays/nerc-ocp-prod/rolebindings/project-robbie-b4784c/project-robbie-allow-sys-admin.yaml b/cluster-scope/overlays/nerc-ocp-prod/rolebindings/project-robbie-b4784c/project-robbie-allow-sys-admin.yaml index de3e4cc2..97a2030f 100644 --- a/cluster-scope/overlays/nerc-ocp-prod/rolebindings/project-robbie-b4784c/project-robbie-allow-sys-admin.yaml +++ b/cluster-scope/overlays/nerc-ocp-prod/rolebindings/project-robbie-b4784c/project-robbie-allow-sys-admin.yaml @@ -8,5 +8,4 @@ roleRef: name: nerc-allow-sys-admin subjects: - kind: ServiceAccount - namespace: project-robbie-b4784c name: robbie-job-runner