feat: Permission & PermissionGroups

* chore: rename to v1.Permission to v1.PlaybookPermission

[skip ci]

api/v1/permission_group_types.go

@@ -0,0 +1,41 @@
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+//+kubebuilder:object:root=true
+//+kubebuilder:subresource:status
+
+// PermissionGroup is the Schema for the Mission Control Permission Groups
+type PermissionGroup struct {
+	metav1.TypeMeta   `json:",inline" yaml:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"`
+
+	Spec   PermissionGroupSpec   `json:"spec,omitempty" yaml:"spec,omitempty"`
+	Status PermissionGroupStatus `json:"status,omitempty" yaml:"status,omitempty"`
+}
+
+// +kubebuilder:object:generate=true
+type PermissionGroupSpec struct {
+	PermissionGroupSubjects `json:",inline" yaml:",inline"`
+
+	// Name for the group
+	Name string `json:"name"`
+}
+
+type PermissionGroupStatus struct {
+}
+
+// +kubebuilder:object:generate=true
+type PermissionGroupSubjects struct {
+	Notifications []PermissionGroupSelector `json:"notifications,omitempty"`
+	People        []PermissionGroupSelector `json:"people,omitempty"`
+	Teams         []PermissionGroupSelector `json:"teams,omitempty"`
+}
+
+// +kubebuilder:object:generate=true
+type PermissionGroupSelector struct {
+	Namespaces string `json:"namespace,omitempty"`
+	Name       string `json:"name,omitempty"`
+}

api/v1/permission_types.go

@@ -0,0 +1,66 @@
+package v1
+
+import (
+	"github.com/flanksource/duty/types"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+//+kubebuilder:object:root=true
+//+kubebuilder:subresource:status
+
+// Permission is the Schema for the Mission Control Permission
+type Permission struct {
+	metav1.TypeMeta   `json:",inline" yaml:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"`
+
+	Spec   PermissionSpec   `json:"spec,omitempty" yaml:"spec,omitempty"`
+	Status PermissionStatus `json:"status,omitempty" yaml:"status,omitempty"`
+}
+
+// Subject of the permission.
+// Can be
+// - a permission group name
+// - id of a resource
+// - <namespace>/<name> of a resource
+type PermissionSubjectSelector string
+
+type PermissionSubject struct {
+	Person       PermissionSubjectSelector `json:"person,omitempty"`
+	Team         PermissionSubjectSelector `json:"team,omitempty"`
+	Notification PermissionSubjectSelector `json:"notification,omitempty"`
+}
+
+type PermissionObject struct {
+	Playbooks  []types.ResourceSelector `json:"playbooks,omitempty"`
+	Configs    []types.ResourceSelector `json:"configs,omitempty"`
+	Components []types.ResourceSelector `json:"components,omitempty"`
+}
+
+// +kubebuilder:object:generate=true
+type PermissionSpec struct {
+	// Description provides a brief explanation of the permission.
+	Description string `json:"description,omitempty"`
+
+	// Action specifies the operation that the permission allows or denies.
+	Action string `json:"action"`
+
+	// Subject defines the entity (e.g., user, group) to which the permission applies.
+	Subject PermissionSubject `json:"subject"`
+
+	// Object identifies the resource or object that the permission is associated with.
+	Object PermissionObject `json:"object"`
+
+	// Deny indicates whether the permission should explicitly deny the specified action.
+	//
+	// Default: false
+	Deny bool `json:"deny,omitempty"`
+
+	// List of agent ids whose configs/components are accessible to a person when RLS is enabled
+	Agents []string `json:"agents,omitempty"`
+
+	// List of config/component tags a person is allowed to access to when RLS is enabled
+	Tags map[string]string `json:"tags,omitempty"`
+}
+
+type PermissionStatus struct {
+}

api/v1/playbook_types.go

@@ -11,7 +11,7 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 )
 
-type Permission struct {
+type PlaybookPermission struct {
 	Role string `json:"role,omitempty" yaml:"role,omitempty"`
 	Team string `json:"team,omitempty" yaml:"team,omitempty"`
 	Ref  string `json:"ref,omitempty" yaml:"ref,omitempty"`
@@ -177,7 +177,7 @@ type PlaybookSpec struct {
 	TemplatesOn string `json:"templatesOn,omitempty" yaml:"templatesOn,omitempty"`
 
 	// Permissions ...
-	Permissions []Permission `json:"permissions,omitempty" yaml:"permissions,omitempty"`
+	Permissions []PlaybookPermission `json:"permissions,omitempty" yaml:"permissions,omitempty"`
 
 	// Configs filters what config items can run on this playbook.
 	Configs dutyTypes.ResourceSelectors `json:"configs,omitempty" yaml:"configs,omitempty"`