feat: crd Permissions

* chore: rename to v1.Permission to v1.PlaybookPermission

api/v1/permission_types.go

@@ -0,0 +1,59 @@
+package v1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+//+kubebuilder:object:root=true
+//+kubebuilder:subresource:status
+
+// Permission is the Schema for the Mission Control Permission
+type Permission struct {
+	metav1.TypeMeta   `json:",inline" yaml:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"`
+
+	Spec   PermissionSpec   `json:"spec,omitempty" yaml:"spec,omitempty"`
+	Status PermissionStatus `json:"status,omitempty" yaml:"status,omitempty"`
+}
+
+// Subject of the permission.
+// Can be
+// - a permission group name
+// - id of a resource
+// - <namespace>/<name> of a resource
+type PermissionSubjectSelector string
+
+type PermissionSubject struct {
+	Person       PermissionSubjectSelector `json:"person,omitempty"`
+	Team         PermissionSubjectSelector `json:"team,omitempty"`
+	Notification PermissionSubjectSelector `json:"notification,omitempty"`
+}
+
+// +kubebuilder:object:generate=true
+type PermissionSpec struct {
+	// Description provides a brief explanation of the permission.
+	Description string `json:"description,omitempty"`
+
+	// Action specifies the operation that the permission allows or denies.
+	Action string `json:"action"`
+
+	// Subject defines the entity (e.g., user, group) to which the permission applies.
+	Subject PermissionSubject `json:"subject"`
+
+	// Object identifies the resource or object that the permission is associated with.
+	Object string `json:"object"`
+
+	// Deny indicates whether the permission should explicitly deny the specified action.
+	//
+	// Default: false
+	Deny bool `json:"deny,omitempty"`
+
+	// List of agent ids whose configs/components are accessible to a person when RLS is enabled
+	Agents []string `json:"agents,omitempty"`
+
+	// List of config/component tags a person is allowed to access to when RLS is enabled
+	Tags map[string]string `json:"tags,omitempty"`
+}
+
+type PermissionStatus struct {
+}

api/v1/playbook_types.go

@@ -11,7 +11,7 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 )
 
-type Permission struct {
+type PlaybookPermission struct {
 	Role string `json:"role,omitempty" yaml:"role,omitempty"`
 	Team string `json:"team,omitempty" yaml:"team,omitempty"`
 	Ref  string `json:"ref,omitempty" yaml:"ref,omitempty"`
@@ -177,7 +177,7 @@ type PlaybookSpec struct {
 	TemplatesOn string `json:"templatesOn,omitempty" yaml:"templatesOn,omitempty"`
 
 	// Permissions ...
-	Permissions []Permission `json:"permissions,omitempty" yaml:"permissions,omitempty"`
+	Permissions []PlaybookPermission `json:"permissions,omitempty" yaml:"permissions,omitempty"`
 
 	// Configs filters what config items can run on this playbook.
 	Configs dutyTypes.ResourceSelectors `json:"configs,omitempty" yaml:"configs,omitempty"`

config/crds/mission-control.flanksource.com_permissions.yaml

@@ -0,0 +1,103 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.14.0
+  name: permissions.mission-control.flanksource.com
+spec:
+  group: mission-control.flanksource.com
+  names:
+    kind: Permission
+    listKind: PermissionList
+    plural: permissions
+    singular: permission
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: Permission is the Schema for the Mission Control Permission
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              action:
+                description: The action to operate on
+                type: string
+              agents:
+                description: List of agent ids to
+                items:
+                  type: string
+                type: array
+              deny:
+                description: |-
+                  Deny sets the effect = deny.
+                  Default (allow)
+                type: boolean
+              description:
+                type: string
+              object:
+                description: Resource Selector for the object
+                type: string
+              subject:
+                description: Subject of the permission.
+                properties:
+                  notification:
+                    description: |-
+                      Subject of the permission.
+                      Can be
+                      - a permission group name
+                      - id of a resource
+                      - <namespace>/<name> of a resource
+                    type: string
+                  person:
+                    description: |-
+                      Subject of the permission.
+                      Can be
+                      - a permission group name
+                      - id of a resource
+                      - <namespace>/<name> of a resource
+                    type: string
+                  team:
+                    description: |-
+                      Subject of the permission.
+                      Can be
+                      - a permission group name
+                      - id of a resource
+                      - <namespace>/<name> of a resource
+                    type: string
+                type: object
+              tags:
+                additionalProperties:
+                  type: string
+                description: List of tags to
+                type: object
+            required:
+            - action
+            - object
+            - subject
+            type: object
+          status:
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

config/schemas/playbook-spec.schema.json

@@ -614,21 +614,6 @@
         "message"
       ]
     },
-    "Permission": {
-      "properties": {
-        "role": {
-          "type": "string"
-        },
-        "team": {
-          "type": "string"
-        },
-        "ref": {
-          "type": "string"
-        }
-      },
-      "additionalProperties": false,
-      "type": "object"
-    },
     "PlaybookAction": {
       "properties": {
         "name": {
@@ -826,6 +811,21 @@
         "name"
       ]
     },
+    "PlaybookPermission": {
+      "properties": {
+        "role": {
+          "type": "string"
+        },
+        "team": {
+          "type": "string"
+        },
+        "ref": {
+          "type": "string"
+        }
+      },
+      "additionalProperties": false,
+      "type": "object"
+    },
     "PlaybookSpec": {
       "properties": {
         "title": {
@@ -860,7 +860,7 @@
         },
         "permissions": {
           "items": {
-            "$ref": "#/$defs/Permission"
+            "$ref": "#/$defs/PlaybookPermission"
           },
           "type": "array"
         },