Skip to content

Migrate RBAC to namespace-scoped roles #126

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jeremyeder wants to merge 9 commits into from
Closed

Migrate RBAC to namespace-scoped roles #126

jeremyeder wants to merge 9 commits into from

Conversation

@jeremyeder
Copy link
Collaborator

@jeremyeder jeremyeder commented Sep 25, 2025

Summary

  • Migrates ClusterRole and ClusterRoleBinding resources to namespace-scoped Role and RoleBinding
  • Enables deployment within specific namespaces rather than requiring cluster-wide permissions
  • Removes cluster-wide namespace permissions from operator role (incompatible with namespace-scoped roles)

Changes Made

Backend RBAC

  • backend-clusterrole.yaml: Changed from ClusterRole to Role
  • backend-clusterrolebinding.yaml: Changed from ClusterRoleBinding to RoleBinding, removed namespace from subjects

Operator RBAC

  • operator-clusterrole.yaml: Changed from ClusterRole to Role, removed namespace permissions
  • operator-clusterrolebinding.yaml: Changed from ClusterRoleBinding to RoleBinding, removed namespace from subjects

Test Plan

  • Deploy manifests to a test namespace using kubectl apply -k components/manifests/
  • Verify backend and operator pods start successfully with namespace-scoped permissions
  • Test that custom resource operations work within the target namespace
  • Confirm no cluster-wide access is required or attempted

Breaking Changes

⚠️ Important: The operator role previously had cluster-wide namespace access which has been removed. If the operator needs to detect/manage other namespaces, additional permissions will need to be granted separately.

🤖 Generated with Claude Code

jeremyeder and others added 9 commits September 24, 2025 18:08
@jeremyeder @claude
HOTFIX: Convert prompt files to correct GitHub Action format
ead9b4f 
- Fix YAML format to use messages array instead of custom fields
- Use openai/gpt-4o-mini model as per documentation
- Simplify content to single line to avoid parsing issues
- Include required testData and evaluators arrays

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@jeremyeder @claude
Simplify feature assessment prompt to basic format
689db29 
- Remove multiline formatting that may cause YAML parsing issues
- Use simple single-line content field
- Match exact documentation example format

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@jeremyeder @claude
Fix YAML indentation to use 2 spaces as per documentation
2ff3bd0 
- Change from 1-space to 2-space indentation to match exact documentation format
- Use >+ multiline format exactly as shown in working example

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@jeremyeder @claude
Create minimal YAML prompt to test parsing
acd74b9 
- Use absolute minimal YAML format to isolate parsing issue
- Remove all multiline content that could cause issues
- Test with simplest possible valid format

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@jeremyeder @claude
Use exact prompt files from official GitHub repository
24d48eb 
- Replace custom prompts with official examples from github/ai-assessment-comment-labeler
- Use bug-review.prompt.yml for bug assessment
- Use well-formed.prompt.yml for feature assessment
- Use spam-detection.prompt.yml for general assessment
- These are guaranteed to work with the GitHub action

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@jeremyeder @claude
Fix workflow configuration for AI assessment action
212ccea 
- Change from @main to @v1 for stable version
- Remove ./ prefix from prompts_directory path
- Use 'Prompts' instead of './Prompts' as per documentation

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@jeremyeder @claude
Remove problematic feature-assessment prompt and update mapping
70b4dc5 
- Remove feature-assessment.prompt.yml that was causing YAML parsing errors
- Update labels_to_prompts_mapping to exclude enhancement/feature mapping
- Test if bug and general assessment prompts work without the problematic file

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@jeremyeder
Revamp AI assessment comment labeler
79e39bf
@jeremyeder @claude
Migrate ClusterRole and ClusterRoleBinding to namespace-scoped Role a…
d8f4307 
…nd RoleBinding

- Convert backend ClusterRole to Role for namespace-scoped permissions
- Convert backend ClusterRoleBinding to RoleBinding
- Convert operator ClusterRole to Role, removing cluster-wide namespace permissions
- Convert operator ClusterRoleBinding to RoleBinding
- Remove namespace subjects from RoleBindings as they're not needed for namespace-scoped resources

This allows the RBAC resources to be deployed within a specific namespace
rather than requiring cluster-wide permissions.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@jeremyeder jeremyeder closed this Sep 25, 2025
@jeremyeder jeremyeder deleted the feature/migrate-rbac-to-namespace-scoped branch September 25, 2025 18:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jeremyeder