refactor: namespaces.yaml, namespace-defaults.yaml

josibake · josibake · commit eeba1b1e925d · 2024-09-13T14:46:47.000+02:00
namespaces.yaml is meant for describing the overall structure of what you want
with specific overrides for specific users as needed. the "default" roles should
be defined in namespace-defaults.yaml so that they are automatically applied by default
for each user in each namespace.

at a lower level, defaults that should be applied by default for *any* namespaces deployment
should be defined in values.yaml.

namespace-defaults.yaml is meant to override values.yaml in the event
for a particular namespaces deployment the admin wants to create
tailor made roles and permisssions. otherwise, this can stay empty
and whatever is in values.yaml will be applied.

update example prefix to wargames, to illustrate this is not relying on
a default namespace of warnet. this probably needs some more thought,
but I think its best to address how to pipe through the name in a
followup rather than slow this PR down.
diff --git a/resources/namespaces/two_namespaces_two_users/namespace-defaults.yaml b/resources/namespaces/two_namespaces_two_users/namespace-defaults.yaml
@@ -3,14 +3,16 @@ users:
     roles:
       - pod-viewer
       - pod-manager
-roles:
-  - name: pod-viewer
-    rules:
-      - apiGroups: [""]
-        resources: ["pods"]
-        verbs: ["get", "list", "watch"]
-  - name: pod-manager
-    rules:
-      - apiGroups: [""]
-        resources: ["pods", "configmaps"]
-        verbs: ["get", "list", "watch", "create", "update", "delete"]
+# the pod-viewer and pod-manager roles are the default
+# roles defined in values.yaml for the namespaces charts
+#
+# if you need a different set of roles for a particular namespaces
+# deployment, you can override values.yaml by providing your own
+# role definitions below
+#
+# roles:
+#   - name: my-custom-role
+#     rules:
+#      - apiGroups: ""
+#        resources: ""
+#        verbs: ""
diff --git a/resources/namespaces/two_namespaces_two_users/namespaces.yaml b/resources/namespaces/two_namespaces_two_users/namespaces.yaml
@@ -1,5 +1,5 @@
 namespaces:
-  - name: warnet-red-team
+  - name: wargames-red-team
     users:
       - name: alice
         roles:
@@ -8,42 +8,7 @@ namespaces:
         roles:
           - pod-viewer
           - pod-manager
-    roles:
-      - name: pod-viewer
-        rules:
-          - apiGroups: [""]
-            resources: ["pods"]
-            verbs: ["get", "list", "watch"]
-          - apiGroups: [""]
-            resources: ["pods/log", "pods/exec", "pods/attach", "pods/portforward"]
-            verbs: ["get"]
-          - apiGroups: [""]
-            resources: ["configmaps", "secrets"]
-            verbs: ["get"]
-          - apiGroups: [""]
-            resources: ["persistentvolumeclaims"]
-            verbs: ["get", "list"]
-          - apiGroups: [""]
-            resources: ["events"]
-            verbs: ["get"]
-      - name: pod-manager
-        rules:
-          - apiGroups: [""]
-            resources: ["pods"]
-            verbs: ["get", "list", "watch", "create", "delete", "update"]
-          - apiGroups: [""]
-            resources: ["pods/log", "pods/exec", "pods/attach", "pods/portforward"]
-            verbs: ["get", "create"]
-          - apiGroups: [""]
-            resources: ["configmaps", "secrets"]
-            verbs: ["get", "create"]
-          - apiGroups: [""]
-            resources: ["persistentvolumeclaims"]
-            verbs: ["get", "list"]
-          - apiGroups: [""]
-            resources: ["events"]
-            verbs: ["get"]
-  - name: warnet-blue-team
+  - name: wargames-blue-team
     users:
       - name: mallory
         roles:
@@ -52,38 +17,3 @@ namespaces:
         roles:
           - pod-viewer
           - pod-manager
-    roles:
-      - name: pod-viewer
-        rules:
-          - apiGroups: [""]
-            resources: ["pods"]
-            verbs: ["get", "list", "watch"]
-          - apiGroups: [""]
-            resources: ["pods/log", "pods/exec", "pods/attach", "pods/portforward"]
-            verbs: ["get"]
-          - apiGroups: [""]
-            resources: ["configmaps", "secrets"]
-            verbs: ["get"]
-          - apiGroups: [""]
-            resources: ["persistentvolumeclaims"]
-            verbs: ["get", "list"]
-          - apiGroups: [""]
-            resources: ["events"]
-            verbs: ["get"]
-      - name: pod-manager
-        rules:
-          - apiGroups: [""]
-            resources: ["pods"]
-            verbs: ["get", "list", "watch", "create", "delete", "update"]
-          - apiGroups: [""]
-            resources: ["pods/log", "pods/exec", "pods/attach", "pods/portforward"]
-            verbs: ["get", "create"]
-          - apiGroups: [""]
-            resources: ["configmaps", "secrets"]
-            verbs: ["get", "create"]
-          - apiGroups: [""]
-            resources: ["persistentvolumeclaims"]
-            verbs: ["get", "list"]
-          - apiGroups: [""]
-            resources: ["events"]
-            verbs: ["get"]
