Merge pull request #4 from reactiveops/ejether/custom-resource-def

WIP: CRD and Operator pattern

Dockerfile

@@ -1,9 +1,9 @@
-FROM python:3.6.4-alpine3.7
+FROM python:2.7.14-alpine3.7
 
 WORKDIR /rbac-manager
 
 COPY . .
 
 RUN pip install -r requirements.txt
 
-CMD python manage-rbac.py --config config/rbac.yaml
+CMD python manage_rbac.py

Dockerfile.ci

@@ -8,4 +8,4 @@ COPY . .
 
 RUN pip install -r requirements.txt
 
-CMD python manage-rbac.py --config config/rbac.yaml
+CMD python manage_rbac.py

README.md

@@ -49,12 +49,12 @@ As you might expect, this will run in your current Kubernetes context. If you do
 
 ### As a Kubernetes Job
 
-Also quite straightforward, you can apply the YAML from the `example/k8s` directory of this repository to run RBAC Manager within your cluster. In this case, you'll want to add you're RBAC Manager configuration in the ConfigMap (`example/k8s/2-config.yaml`).
+Also quite straightforward, you can apply the YAML from the `example/k8s/job` directory of this repository to run RBAC Manager within your cluster. In this case, you'll want to add you're RBAC Manager configuration in the ConfigMap (`example/k8s/controller/02-configmap.yaml`).
 
 Once the ConfigMap represents the RBAC state you want to achieve, you can run the job with a simple command:
 
 ```
-kubectl apply -f example/k8s
+kubectl apply -f example/k8s/controller
 ```
 
 Once the job has completed, you can clean things up by removing the namespace it creates with this command:
@@ -63,14 +63,19 @@ Once the job has completed, you can clean things up by removing the namespace it
 kubectl delete namespace rbac-manager
 ```
 
-### As part of a CI Workflow
+### As a Kubernetes Controller
 
-Ideally RBAC manager will be used in a CI workflow. In addition to our standard Docker images, we provide a secondary image  with each release that includes some helpful dependencies for continuous integration. There is a working example of what this could look like in `examples/ci`.
+RBAC Manager can also be run as a controler using custom resources to store this format of RBAC configuration. These custom resources are `rbacdefinitions`. The RBAC Manager controller listens for `rbacdefinition` updates, and will automatically make the requested changes when a `rbacdefinition` is created or updated.
 
+Sample Kubernetes configuration for this pattern is available in `example/k8s/controller`. You can run this example in your cluster with this command:
 
-## Future Plans
+```
+kubectl apply -f example/k8s/controller
+```
+
+### As part of a CI Workflow
 
-We're very interested in implementing this with a Kubernetes operator pattern. Instead of a single update task, this operator would run on each cluster and listen for changes to custom configuration resources.
+Ideally RBAC manager will be used in a CI workflow. In addition to our standard Docker images, we provide a secondary image with each release that includes some helpful dependencies for continuous integration. There is a working example of what this could look like in `examples/ci`.
 
 ## License
-Apache License 2.0
+Apache License 2.0

examples/k8s/controller/01-rbac.yaml

@@ -0,0 +1,39 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: rbac-manager
+  namespace: rbac-manager
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: rbac-manager
+rules:
+  - apiGroups:
+      - rbacmanager.k8s.io
+    resources:
+      - rbacdefinitions
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - rbac.authorization.k8s.io
+      - authorization.k8s.io
+    resources:
+      - '*'
+    verbs:
+      - '*'
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: rbac-manager
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: rbac-manager
+subjects:
+  - kind: ServiceAccount
+    name: rbac-manager
+    namespace: rbac-manager

examples/k8s/controller/02-rbacdefinition-crd.yml

@@ -0,0 +1,16 @@
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: rbacdefinitions.rbacmanager.k8s.io
+spec:
+  group: rbacmanager.k8s.io
+  version: v1
+  scope: Namespaced
+  names:
+    plural: rbacdefinitions
+    singular: rbacdefinition
+    kind: RBACDefinition
+    shortNames: 
+      - rd
+      - rds

examples/k8s/controller/03-rbacdefinition.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: rbacmanager.k8s.io/v1
+kind: RBACDefinition
+metadata:
+  name: rbac-manager-config
+  namespace: rbac-manager
+data:
+  rbac: |-
+    - user: [email protected]
+      clusterRoleBindings:
+        - clusterRole: cluster-admin
+    - user: [email protected]
+      clusterRoleBindings:
+        - clusterRole: edit
+      roleBindings:
+        - clusterRole: cluster-admin
+          namespace: default

examples/k8s/controller/04-controller.yaml

@@ -0,0 +1,21 @@
+---
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: rbac-manager
+  namespace: rbac-manager
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      run: rbac-manager
+  template:
+    metadata:
+      labels:
+        run: rbac-manager
+    spec:
+      serviceAccountName: rbac-manager
+      containers:
+        - name: rbac-manager
+          image: quay.io/reactiveops/rbac-manager:latest
+

examples/k8s/job/00-namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: rbac-manager

examples/k8s/1-rbac.yaml → examples/k8s/job/01-rbac.yaml

@@ -11,16 +11,11 @@ metadata:
 rules:
   - apiGroups:
       - rbac.authorization.k8s.io
+      - authorization.k8s.io
     resources:
-      - clusterrolebindings
-      - rolebindings
+      - '*'
     verbs:
-      - create
-      - delete
-      - get
-      - list
-      - patch
-      - update
+      - '*'
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding

examples/k8s/job/02-configmap.yaml

@@ -0,0 +1,17 @@
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: rbac-manager-config
+  namespace: rbac-manager
+data:
+  rbac.yaml: |-
+    - user: [email protected]
+      clusterRoleBindings:
+        - clusterRole: cluster-admin
+    - user: [email protected]
+      clusterRoleBindings:
+        - clusterRole: edit
+      roleBindings:
+        - clusterRole: cluster-admin
+          namespace: default

examples/k8s/3-job.yaml → examples/k8s/job/03-job.yaml

@@ -1,22 +1,26 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: rbac-manager-2
+  name: rbac-manager
   namespace: rbac-manager
 spec:
-  backoffLimit: 1
+  backoffLimit: 0
   template:
     spec:
       restartPolicy: Never
       serviceAccountName: rbac-manager
       containers:
         - name: rbac-manager
-          image: quay.io/reactiveops/rbac-manager:0.1.3
+          image: quay.io/reactiveops/rbac-manager:latest
+          command:
+            - python
+            - manage_rbac.py
+            - --config
+            - config/rbac.yaml
           volumeMounts:
           - name: rbac-manager-config
             mountPath: /rbac-manager/config
       volumes:
         - name: rbac-manager-config
           configMap:
             name: rbac-manager-config
-