-
Story
-
Resolution: Done
-
Major
-
ACM 2.14.0
-
Product / Portfolio Work
-
3
-
False
-
-
False
-
-
-
-
Workload Mgmt Train 25 - 1, Workload Mgmt Train 26 - 1, Workload Mgmt Train 26 - 2, Workload Mgmt Train 27 - 1
-
None
Value Statement
The current ClusterPermission requires users to create a new Role which is limiting when users want to use existing Roles/ClusterRoles. This limitation is blocking the server foundation team from their work with CNV.
Definition of Done for Engineering Story Owner (Checklist)
- ...
apiVersion: rbac.open-cluster-management.io/v1alpha1 kind: ClusterPermission metadata: name: clusterpermission-msa-subject-sample namespace: cluster1 spec: roles: - namespace: default rules: - apiGroups: ["apps"] resources: ["deployments"] verbs: ["get", "list", "create", "update", "delete"] - apiGroups: [""] resources: ["configmaps", "secrets", "pods", "podtemplates", "persistentvolumeclaims", "persistentvolumes"] verbs: ["get", "update", "list", "create", "delete"] - apiGroups: ["storage.k8s.io"] resources: ["*"] verbs: ["list"] - namespace: mortgage rules: - apiGroups: ["apps"] resources: ["deployments"] verbs: ["get", "list", "create", "update", "delete"] - apiGroups: [""] resources: ["configmaps", "secrets", "pods", "services", "namespace"] verbs: ["get", "update", "list", "create", "delete"] clusterRole: rules: - apiGroups: ["*"] resources: ["*"] verbs: ["get", "list"] roleBindings: - namespace: default roleRef: kind: Role subject: apiGroup: authentication.open-cluster-management.io kind: ManagedServiceAccount name: managed-sa-sample - namespace: mortgage roleRef: kind: Role subject: apiGroup: authentication.open-cluster-management.io kind: ManagedServiceAccount name: managed-sa-sample clusterRoleBinding: subject: apiGroup: authentication.open-cluster-management.io kind: ManagedServiceAccount name: managed-sa-sample ---- apiVersion: rbac.open-cluster-management.io/v1alpha1 kind: ClusterPermission metadata: name: clusterpermission-msa-subject-sample namespace: cluster1 spec: roleBindings: - namespace: default name: <> roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: argocd-application-controller-1 subject: apiGroup: authentication.open-cluster-management.io kind: ManagedServiceAccount name: managed-sa-sample - namespace: mortgage name: <> roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: argocd-application-controller-2 namespace: <if the role ns not in the same rolebinding NS, return error> subject: apiGroup: authentication.open-cluster-management.io kind: ManagedServiceAccount name: managed-sa-sample clusterRoleBinding: name: <> roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: argocd-application-controller-3 subject: apiGroup: authentication.open-cluster-management.io kind: ManagedServiceAccount name: managed-sa-sample
Above is old ClusterPermission(top) vs new ClusterPermission(bottom).
- For roleBindings/clusterRoleBinding, users can provide an optional name if they don't want to use the default ClusterPermission name
- For clusterRoleBinding, roleRef is added to specify an existing ClusterRole, ignore namespace field if provided
- For roleBindings, apiGroup, name and namespace(optional) is added to roleRef to existing Role or ClusterRole
- Specified Roles or ClusterRoles must exist
Development Complete
- The code is complete.
- Functionality is working.
- Any required downstream Docker file changes are made.
Tests Automated
- [ ] Unit/function tests have been automated and incorporated into the
build. - [ ] 100% automated unit/function test coverage for new or changed APIs.
Secure Design
- [ ] Security has been assessed and incorporated into your threat model.
Multidisciplinary Teams Readiness
- [ ] Create an informative documentation issue using the Customer
Portal Doc template that you can access from [The Playbook](
and ensure doc acceptance criteria is met.
- Call out this sentence as it's own action:
- [ ] Link the development issue to the doc issue.
Support Readiness
- [ ] The must-gather script has been updated.
- is documented by
-
ACM-19607 Doc ClusterPermission existing role support
-
- Closed
-