🐛 Handling Identical Kubebuilder Annotations in Different CRs with * …

…Verbs (#1081) * Handling Identical Kubebuilder Annotations in Different CRs with * Verbs Signed-off-by: Oded Viner <[email protected]> * add test and fix code Signed-off-by: Oded Viner <[email protected]> * add comment to new code Signed-off-by: Oded Viner <[email protected]> * add test for Role in namespace Signed-off-by: Oded Viner <[email protected]> --------- Signed-off-by: Oded Viner <[email protected]>
kubernetes-sigs · Oct 28, 2024 · 17cbcd3 · 17cbcd3
1 parent 23a31fd
commit 17cbcd3
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 0 deletions.
diff --git a/pkg/rbac/parser.go b/pkg/rbac/parser.go
@@ -304,6 +304,15 @@ func GenerateRoles(ctx *genall.GenerationContext, roleName string) ([]interface{
 		}
 		sort.Sort(ruleKeys(keys))
 
+		// Normalize rule verbs to "*" if any verb in the rule is an asterisk
+		for _, rule := range ruleMap {
+			for _, verb := range rule.Verbs {
+				if verb == "*" {
+					rule.Verbs = []string{"*"}
+					break
+				}
+			}
+		}
 		var policyRules []rbacv1.PolicyRule
 		for _, key := range keys {
 			policyRules = append(policyRules, ruleMap[key].ToRule())

diff --git a/pkg/rbac/testdata/controller.go b/pkg/rbac/testdata/controller.go
@@ -23,6 +23,8 @@ package controller
 // +kubebuilder:rbac:groups=deduplicate-all,resources=foo;bar,verbs=get;list
 // +kubebuilder:rbac:groups=deduplicate-all,resources=foo,verbs=get
 // +kubebuilder:rbac:groups=deduplicate-all,resources=bar,verbs=list
+// +kubebuilder:rbac:groups=deduplicate-groups4,resources=xyz,verbs=get;update;patch
+// +kubebuilder:rbac:groups=deduplicate-groups4,resources=xyz,verbs=*
 // +kubebuilder:rbac:groups=deduplicate-all-group,resources=foo;bar,verbs=get;list
 // +kubebuilder:rbac:groups=not-deduplicate-resources,resources=some,verbs=get
 // +kubebuilder:rbac:groups=not-deduplicate-resources,resources=another,verbs=list
@@ -33,3 +35,5 @@ package controller
 // +kubebuilder:rbac:groups=core,resources=deduplicate,verbs=list
 // +kubebuilder:rbac:groups="",resources=me,verbs=list
 // +kubebuilder:rbac:groups=core;"";some-other-to-deduplicate-with-core,resources=me,verbs=list;get
+// +kubebuilder:rbac:groups=deduplicate-groups5,resources=abc,verbs=get;update;patch;create,namespace=here
+// +kubebuilder:rbac:groups=deduplicate-groups5,resources=abc,verbs=*,namespace=here
diff --git a/pkg/rbac/testdata/role.yaml b/pkg/rbac/testdata/role.yaml
@@ -88,6 +88,12 @@ rules:
   - foo
   verbs:
   - patch
+- apiGroups:
+  - deduplicate-groups4
+  resources:
+  - xyz
+  verbs:
+  - '*'
 - apiGroups:
   - deduplicate-resources
   resources:
@@ -125,6 +131,19 @@ rules:
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
+metadata:
+  name: manager-role
+  namespace: here
+rules:
+- apiGroups:
+  - deduplicate-groups5
+  resources:
+  - abc
+  verbs:
+  - '*'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
 metadata:
   name: manager-role
   namespace: park
@@ -149,3 +168,4 @@ rules:
   - jobs
   verbs:
   - get
+