Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add clusterresources interception configuration #1003

Closed
wants to merge 4 commits into from
Closed

feat: add clusterresources interception configuration #1003

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
fcb0ac1
feat(controller): add clusterresources for owner spec
oliverbaehler Mar 6, 2024
0299cac
feat(installer): add clusterresources for owner spec
oliverbaehler Mar 6, 2024
f16a26a
feat(helm): add clusterresources for owner spec
oliverbaehler Mar 6, 2024
4349140
docs(api): add clusterresources for owner spec
oliverbaehler Mar 6, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions api/v1beta2/owner.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@

package v1beta2

import "github.com/projectcapsule/capsule/pkg/api"

type OwnerSpec struct {
// Kind of tenant owner. Possible values are "User", "Group", and "ServiceAccount"
Kind OwnerKind `json:"kind"`
Expand All @@ -11,6 +13,8 @@ type OwnerSpec struct {
// Defines additional cluster-roles for the specific Owner.
// +kubebuilder:default={admin,capsule-namespace-deleter}
ClusterRoles []string `json:"clusterRoles,omitempty"`
// Defines additional cluster-resources for the specific Owner.
ClusterResources []api.ClusterResource `json:"clusterResources,omitempty"`
// Proxy settings for tenant owner.
ProxyOperations []ProxySettings `json:"proxySettings,omitempty"`
}
Expand Down
7 changes: 7 additions & 0 deletions api/v1beta2/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4,466 changes: 2,275 additions & 2,191 deletions charts/capsule/crds/tenant-crd.yaml
View file
Open in desktop

Large diffs are not rendered by default.

86 changes: 86 additions & 0 deletions config/crd/bases/capsule.clastix.io_tenants.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1976,6 +1976,92 @@ spec:
description: Specifies the owners of the Tenant. Mandatory.
items:
properties:
clusterResources:
description: Defines additional cluster-resources for the specific
Owner.
items:
properties:
apiGroups:
description: APIGroups is the name of the APIGroup that
contains the resources. If multiple API groups are specified,
any action requested against any resource listed will
be allowed. '*' represents all resources. Empty string
represents v1 api resources.
items:
type: string
type: array
operations:
default:
- List
description: Operations which can be executed on the selected
resources.
items:
enum:
- List
- Update
- Delete
type: string
type: array
resources:
description: Resources is a list of resources this rule
applies to. '*' represents all resources.
items:
type: string
type: array
selector:
description: Select all cluster scoped resources with
the given label selector.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector
that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are In,
NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values.
If the operator is In or NotIn, the values
array must be non-empty. If the operator is
Exists or DoesNotExist, the values array must
be empty. This array is replaced during a
strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs.
A single {key,value} in the matchLabels map is equivalent
to an element of matchExpressions, whose key field
is "key", the operator is "In", and the values array
contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
required:
- apiGroups
- operations
- resources
- selector
type: object
type: array
clusterRoles:
default:
- admin
Expand Down
63 changes: 63 additions & 0 deletions config/install.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1807,6 +1807,69 @@ spec:
description: Specifies the owners of the Tenant. Mandatory.
items:
properties:
clusterResources:
description: Defines additional cluster-resources for the specific Owner.
items:
properties:
apiGroups:
description: APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against any resource listed will be allowed. '*' represents all resources. Empty string represents v1 api resources.
items:
type: string
type: array
operations:
default:
- List
description: Operations which can be executed on the selected resources.
items:
enum:
- List
- Update
- Delete
type: string
type: array
resources:
description: Resources is a list of resources this rule applies to. '*' represents all resources.
items:
type: string
type: array
selector:
description: Select all cluster scoped resources with the given label selector.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
required:
- apiGroups
- operations
- resources
- selector
type: object
type: array
clusterRoles:
default:
- admin
Expand Down
129 changes: 129 additions & 0 deletions docs/content/general/crds-apis.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1489,6 +1489,13 @@ TenantSpec defines the desired state of Tenant.
Name of tenant owner.<br/>
</td>
<td>true</td>
</tr><tr>
<td><b><a href="#tenantspecownersindexclusterresourcesindex">clusterResources</a></b></td>
<td>[]object</td>
<td>
Defines additional cluster-resources for the specific Owner.<br/>
</td>
<td>false</td>
</tr><tr>
<td><b>clusterRoles</b></td>
<td>[]string</td>
Expand All @@ -1509,6 +1516,128 @@ TenantSpec defines the desired state of Tenant.
</table>


### Tenant.spec.owners[index].clusterResources[index]





<table>
<thead>
<tr>
<th>Name</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody><tr>
<td><b>apiGroups</b></td>
<td>[]string</td>
<td>
APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against any resource listed will be allowed. '*' represents all resources. Empty string represents v1 api resources.<br/>
</td>
<td>true</td>
</tr><tr>
<td><b>operations</b></td>
<td>[]enum</td>
<td>
Operations which can be executed on the selected resources.<br/>
<br/>
<i>Default</i>: [List]<br/>
</td>
<td>true</td>
</tr><tr>
<td><b>resources</b></td>
<td>[]string</td>
<td>
Resources is a list of resources this rule applies to. '*' represents all resources.<br/>
</td>
<td>true</td>
</tr><tr>
<td><b><a href="#tenantspecownersindexclusterresourcesindexselector">selector</a></b></td>
<td>object</td>
<td>
Select all cluster scoped resources with the given label selector.<br/>
</td>
<td>true</td>
</tr></tbody>
</table>


### Tenant.spec.owners[index].clusterResources[index].selector



Select all cluster scoped resources with the given label selector.

<table>
<thead>
<tr>
<th>Name</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody><tr>
<td><b><a href="#tenantspecownersindexclusterresourcesindexselectormatchexpressionsindex">matchExpressions</a></b></td>
<td>[]object</td>
<td>
matchExpressions is a list of label selector requirements. The requirements are ANDed.<br/>
</td>
<td>false</td>
</tr><tr>
<td><b>matchLabels</b></td>
<td>map[string]string</td>
<td>
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.<br/>
</td>
<td>false</td>
</tr></tbody>
</table>


### Tenant.spec.owners[index].clusterResources[index].selector.matchExpressions[index]



A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

<table>
<thead>
<tr>
<th>Name</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody><tr>
<td><b>key</b></td>
<td>string</td>
<td>
key is the label key that the selector applies to.<br/>
</td>
<td>true</td>
</tr><tr>
<td><b>operator</b></td>
<td>string</td>
<td>
operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.<br/>
</td>
<td>true</td>
</tr><tr>
<td><b>values</b></td>
<td>[]string</td>
<td>
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.<br/>
</td>
<td>false</td>
</tr></tbody>
</table>


### Tenant.spec.owners[index].proxySettings[index]


Expand Down
33 changes: 33 additions & 0 deletions pkg/api/cluster_resource.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
// Copyright 2020-2023 Project Capsule Authors.
// SPDX-License-Identifier: Apache-2.0

package api

import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

// +kubebuilder:validation:Enum=List;Update;Delete
type ClusterResourceOperation string

func (p ClusterResourceOperation) String() string {
return string(p)
}

const (
ClusterResourceOperationList ClusterResourceOperation = "List"
)

// +kubebuilder:object:generate=true
type ClusterResource struct {
// APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against any resource listed will be allowed. '*' represents all resources. Empty string represents v1 api resources.
APIGroups []string `json:"apiGroups"`

// Resources is a list of resources this rule applies to. '*' represents all resources.
Resources []string `json:"resources"`

// Operations which can be executed on the selected resources.
// +kubebuilder:default={List}
Operations []ClusterResourceOperation `json:"operations"`

// Select all cluster scoped resources with the given label selector.
Selector *metav1.LabelSelector `json:"selector"`
}
Loading
Loading