refactor: namespaces.yaml, namespace-defaults.yaml

josibake · josibake · commit 2d0ea975d1f5 · 2024-09-13T14:00:34.000+02:00
namespaces.yaml is meant for describing the overall structure of what you want
with specific overrides for specific users as needed. the "default" roles should
be defined in namespace-defaults.yaml so that they are automatically applied by default
for each user in each namespace.

at a lower level, defaults that should be applied by default for *any* namespaces deployment
should be defined in values.yaml.

namespace-defaults.yaml is meant to override values.yaml in the event
for a particular namespaces deployment the admin wants to create
tailor made roles and permisssions. otherwise, this can stay empty
and whatever is in values.yaml will be applied.
diff --git a/resources/namespaces/two_namespaces_two_users/namespace-defaults.yaml b/resources/namespaces/two_namespaces_two_users/namespace-defaults.yaml
@@ -3,14 +3,16 @@ users:
     roles:
       - pod-viewer
       - pod-manager
-roles:
-  - name: pod-viewer
-    rules:
-      - apiGroups: [""]
-        resources: ["pods"]
-        verbs: ["get", "list", "watch"]
-  - name: pod-manager
-    rules:
-      - apiGroups: [""]
-        resources: ["pods", "configmaps"]
-        verbs: ["get", "list", "watch", "create", "update", "delete"]
+# the pod-viewer and pod-manager roles are the default
+# roles defined in values.yaml for the namespaces charts
+#
+# if you need a different set of roles for a particular namespaces
+# deployment, you can override values.yaml by providing your own
+# role definitions below
+#
+# roles:
+#   - name: my-custom-role
+#     rules:
+#      - apiGroups: ""
+#        resources: ""
+#        verbs: ""
diff --git a/resources/namespaces/two_namespaces_two_users/namespaces.yaml b/resources/namespaces/two_namespaces_two_users/namespaces.yaml
@@ -8,41 +8,6 @@ namespaces:
         roles:
           - pod-viewer
           - pod-manager
-    roles:
-      - name: pod-viewer
-        rules:
-          - apiGroups: [""]
-            resources: ["pods"]
-            verbs: ["get", "list", "watch"]
-          - apiGroups: [""]
-            resources: ["pods/log", "pods/exec", "pods/attach", "pods/portforward"]
-            verbs: ["get"]
-          - apiGroups: [""]
-            resources: ["configmaps", "secrets"]
-            verbs: ["get"]
-          - apiGroups: [""]
-            resources: ["persistentvolumeclaims"]
-            verbs: ["get", "list"]
-          - apiGroups: [""]
-            resources: ["events"]
-            verbs: ["get"]
-      - name: pod-manager
-        rules:
-          - apiGroups: [""]
-            resources: ["pods"]
-            verbs: ["get", "list", "watch", "create", "delete", "update"]
-          - apiGroups: [""]
-            resources: ["pods/log", "pods/exec", "pods/attach", "pods/portforward"]
-            verbs: ["get", "create"]
-          - apiGroups: [""]
-            resources: ["configmaps", "secrets"]
-            verbs: ["get", "create"]
-          - apiGroups: [""]
-            resources: ["persistentvolumeclaims"]
-            verbs: ["get", "list"]
-          - apiGroups: [""]
-            resources: ["events"]
-            verbs: ["get"]
   - name: warnet-blue-team
     users:
       - name: mallory
@@ -52,38 +17,3 @@ namespaces:
         roles:
           - pod-viewer
           - pod-manager
-    roles:
-      - name: pod-viewer
-        rules:
-          - apiGroups: [""]
-            resources: ["pods"]
-            verbs: ["get", "list", "watch"]
-          - apiGroups: [""]
-            resources: ["pods/log", "pods/exec", "pods/attach", "pods/portforward"]
-            verbs: ["get"]
-          - apiGroups: [""]
-            resources: ["configmaps", "secrets"]
-            verbs: ["get"]
-          - apiGroups: [""]
-            resources: ["persistentvolumeclaims"]
-            verbs: ["get", "list"]
-          - apiGroups: [""]
-            resources: ["events"]
-            verbs: ["get"]
-      - name: pod-manager
-        rules:
-          - apiGroups: [""]
-            resources: ["pods"]
-            verbs: ["get", "list", "watch", "create", "delete", "update"]
-          - apiGroups: [""]
-            resources: ["pods/log", "pods/exec", "pods/attach", "pods/portforward"]
-            verbs: ["get", "create"]
-          - apiGroups: [""]
-            resources: ["configmaps", "secrets"]
-            verbs: ["get", "create"]
-          - apiGroups: [""]
-            resources: ["persistentvolumeclaims"]
-            verbs: ["get", "list"]
-          - apiGroups: [""]
-            resources: ["events"]
-            verbs: ["get"]
