Skip to content

feat: Add fine-grained aggregatable ClusterRoles for RBAC #852

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Skarlso merged 5 commits into from
Mar 4, 2026
+333 −3
Merged

feat: Add fine-grained aggregatable ClusterRoles for RBAC #852

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
3f33a4d
feat: add fine-grained aggregatable ClusterRoles
Melonbun233 Mar 3, 2026
def7ff2
fix: address PR review feedback for aggregatable ClusterRoles
Melonbun233 Mar 3, 2026
934c3b6
refactor: use dig function for safer key access in helper template
Melonbun233 Mar 3, 2026
5da7d68
fix: always aggregate fine-grained roles to controller
Melonbun233 Mar 3, 2026
3f79f9f
refactor: consolidate Flux roles and expand reader permissions
Melonbun233 Mar 3, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
290 changes: 287 additions & 3 deletions deploy/templates/role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,291 @@
{{/*
2025-06-10 :
Switched from generating this with controller-gen to maintaining it by hand.
{{/*
2025-06-10 :
Switched from generating this with controller-gen to maintaining it by hand.
See https://github.com/open-component-model/ocm-project/issues/518

2026-03-02 :
Added support for fine-grained aggregatable ClusterRoles.
When manager.clusterRole.aggregation.enabled is true, this template generates
8 separate ClusterRoles that can be aggregated to standard K8s roles.
When false (default), generates the original monolithic ClusterRole for
backward compatibility.
*/ -}}

{{- /* Helper function to build aggregation labels */ -}}
{{- define "ocm-controller.aggregationLabels" -}}
{{- $config := .config -}}
ocm.software/aggregate-to-controller: "true"
{{- if dig "aggregateToView" false $config }}
{{- if $.Values.manager.clusterRole.aggregation.standardRoles.view.enabled }}
rbac.authorization.k8s.io/aggregate-to-view: "true"
{{- end }}
{{- end }}
{{- if dig "aggregateToEdit" false $config }}
{{- if $.Values.manager.clusterRole.aggregation.standardRoles.edit.enabled }}
rbac.authorization.k8s.io/aggregate-to-edit: "true"
{{- end }}
{{- end }}
{{- end -}}

{{- if .Values.manager.clusterRole.aggregation.enabled }}
{{- /* AGGREGATION MODE: Create fine-grained ClusterRoles */ -}}

{{- if .Values.manager.clusterRole.aggregation.roles.coreReader.enabled }}
---
Copy link
Contributor

@Skarlso Skarlso Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If nothing is enabled, these separators will end up as:

---
---
---

Move them inside the if statements.

Copy link
Contributor Author

@Melonbun233 Melonbun233 Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the comment. I moved all the separators into the if statements.

# 1. Core Reader - Read-only access to configmaps and serviceaccounts (NO secrets)
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ocm-controller-core-reader
labels:
{{- include "ocm-controller.aggregationLabels" (dict "config" .Values.manager.clusterRole.aggregation.roles.coreReader "Values" .Values) | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- configmaps
- serviceaccounts
verbs:
- get
- list
- watch
{{- end }}

{{- if .Values.manager.clusterRole.aggregation.roles.secretsReader.enabled }}
---
# 2. Secrets Reader - Read-only access to secrets (separate for security)
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ocm-controller-secrets-reader
labels:
{{- include "ocm-controller.aggregationLabels" (dict "config" .Values.manager.clusterRole.aggregation.roles.secretsReader "Values" .Values) | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
{{- end }}

{{- if .Values.manager.clusterRole.aggregation.roles.coreWriter.enabled }}
---
# 3. Core Writer - Write access to core resources
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ocm-controller-core-writer
labels:
{{- include "ocm-controller.aggregationLabels" (dict "config" .Values.manager.clusterRole.aggregation.roles.coreWriter "Values" .Values) | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- ""
resources:
- pods
- services
verbs:
- create
- delete
- patch
- update
- apiGroups:
- ""
resources:
- serviceaccounts/token
verbs:
- create
- apiGroups:
- apps
resources:
- deployments
verbs:
- create
- delete
- patch
- update
{{- end }}

{{- if .Values.manager.clusterRole.aggregation.roles.ocmReader.enabled }}
---
# 4. OCM Reader - Read-only access to OCM CRDs
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ocm-controller-ocm-reader
labels:
{{- include "ocm-controller.aggregationLabels" (dict "config" .Values.manager.clusterRole.aggregation.roles.ocmReader "Values" .Values) | nindent 4 }}
rules:
- apiGroups:
- delivery.ocm.software
resources:
- componentdescriptors
- componentversions
- configurations
- fluxdeployers
- localizations
- resources
- snapshots
verbs:
- get
- list
- watch
{{- end }}

{{- if .Values.manager.clusterRole.aggregation.roles.ocmWriter.enabled }}
---
# 5. OCM Writer - Full management of OCM CRDs
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ocm-controller-ocm-writer
labels:
{{- include "ocm-controller.aggregationLabels" (dict "config" .Values.manager.clusterRole.aggregation.roles.ocmWriter "Values" .Values) | nindent 4 }}
rules:
- apiGroups:
- delivery.ocm.software
resources:
- componentdescriptors
- componentversions
- configurations
- fluxdeployers
- localizations
- resources
- snapshots
verbs:
- create
- delete
- patch
- update
- apiGroups:
- delivery.ocm.software
resources:
- componentversions/finalizers
- configurations/finalizers
- fluxdeployers/finalizers
- localizations/finalizers
- resources/finalizers
- snapshots/finalizers
verbs:
- update
- apiGroups:
- delivery.ocm.software
resources:
- componentversions/status
- configurations/status
- fluxdeployers/status
- localizations/status
- resources/status
- snapshots/status
verbs:
- get
- patch
- update
{{- end }}

{{- if .Values.manager.clusterRole.aggregation.roles.fluxReader.enabled }}
---
# 6. Flux Reader - Read-only access to all Flux CRDs
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ocm-controller-flux-reader
labels:
{{- include "ocm-controller.aggregationLabels" (dict "config" .Values.manager.clusterRole.aggregation.roles.fluxReader "Values" .Values) | nindent 4 }}
rules:
- apiGroups:
- source.toolkit.fluxcd.io
resources:
- buckets
- gitrepositories
- helmrepositories
- ocirepositories
verbs:
- get
- list
- watch
- apiGroups:
- helm.toolkit.fluxcd.io
resources:
- helmreleases
verbs:
- get
- list
- watch
- apiGroups:
- kustomize.toolkit.fluxcd.io
resources:
- kustomizations
verbs:
- get
- list
- watch
{{- end }}

{{- if .Values.manager.clusterRole.aggregation.roles.fluxWriter.enabled }}
---
# 7. Flux Writer - Full management of all Flux CRDs
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ocm-controller-flux-writer
labels:
{{- include "ocm-controller.aggregationLabels" (dict "config" .Values.manager.clusterRole.aggregation.roles.fluxWriter "Values" .Values) | nindent 4 }}
rules:
- apiGroups:
- source.toolkit.fluxcd.io
resources:
- helmrepositories
- ocirepositories
verbs:
- create
- delete
- patch
- update
- apiGroups:
- helm.toolkit.fluxcd.io
resources:
- helmreleases
verbs:
- create
- delete
- patch
- update
- apiGroups:
- kustomize.toolkit.fluxcd.io
resources:
- kustomizations
verbs:
- create
- delete
- patch
- update
{{- end }}

---
# 8. Main Controller Role - Aggregates all sub-roles
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ocm-controller-manager-role
labels: {{ $.Values.manager.clusterRole.labels | toJson }}
aggregationRule:
clusterRoleSelectors:
- matchLabels:
ocm.software/aggregate-to-controller: "true"
rules: [] # Automatically filled by aggregation

{{- else }}
{{- /* LEGACY MODE: Create monolithic ClusterRole (backward compatible) */ -}}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
Expand Down Expand Up @@ -142,3 +425,4 @@ rules:
- patch
- update
- watch
{{- end }}
46 changes: 46 additions & 0 deletions deploy/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,52 @@ manager:
affinity: {}
clusterRole:
labels:
# Users can add custom labels here
# These labels are applied to the main ocm-controller-manager-role

# Fine-grained role aggregation configuration
aggregation:
# Enable fine-grained aggregatable roles
# When false (default), uses the existing monolithic ClusterRole
# When true, creates 9 separate ClusterRoles with aggregation labels
enabled: false # DEFAULT: false for backward compatibility

# Control which fine-grained roles aggregate to standard K8s roles
standardRoles:
view:
# Aggregate read-only roles (core-reader, ocm-reader, flux-reader) to 'view'
# This allows users with 'view' role to see OCM/Flux CRDs
# Secrets are NOT included (handled by separate secrets-reader role)
enabled: true
edit:
# Aggregate write roles to 'edit'
# Disabled by default for security - users should explicitly opt-in
enabled: false

# Advanced: Individual role control (optional)
# Most users won't need to modify these
roles:
coreReader:
enabled: true
aggregateToView: true
secretsReader:
enabled: true
aggregateToView: false # Never aggregate secrets to view
coreWriter:
enabled: true
aggregateToEdit: false
ocmReader:
enabled: true
aggregateToView: true
ocmWriter:
enabled: true
aggregateToEdit: false
fluxReader:
enabled: true
aggregateToView: true
fluxWriter:
enabled: true
aggregateToEdit: false

monitoring:
enabled: false
Loading