Skip to content

Commit 04d9226

Browse files
Fix namespace-scoped RBAC Role name conflicts with kustomize
When using namespace-scoped RBAC markers with different namespaces, controller-gen would generate multiple Roles with the same name in different namespaces. This caused kustomize to fail with "namespace transformation produces ID conflict" when applying a global namespace transformation, as both Roles would end up in the same namespace with identical names. Changes: - Append namespace to Role name for namespace-scoped Roles (e.g., "manager-role-infrastructure" for namespace "infrastructure") - ClusterRoles maintain original name without suffix - Updated documentation to clarify the naming behavior - Added test scenario covering the reported issue with different resource types in different namespaces (apps/deployments in infrastructure namespace, core/secrets in users namespace) This ensures uniqueness when kustomize transforms namespaces, preventing the ID conflict error.
1 parent 0d64ab9 commit 04d9226

File tree

4 files changed

+42
-6
lines changed

4 files changed

+42
-6
lines changed

pkg/rbac/parser.go

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -59,6 +59,9 @@ type Rule struct {
5959
// Namespace specifies the scope of the Rule.
6060
// If not set, the Rule belongs to the generated ClusterRole.
6161
// If set, the Rule belongs to a Role, whose namespace is specified by this field.
62+
// The generated Role name will be suffixed with the namespace (e.g., "manager-role-namespace")
63+
// to ensure uniqueness when multiple namespace-scoped Roles are generated. This suffix is
64+
// ONLY applied to namespace-scoped Roles, not to ClusterRoles.
6265
Namespace string `marker:",optional"`
6366
}
6467

@@ -347,7 +350,7 @@ func GenerateRoles(ctx *genall.GenerationContext, roleName string) ([]any, error
347350
APIVersion: rbacv1.SchemeGroupVersion.String(),
348351
},
349352
ObjectMeta: metav1.ObjectMeta{
350-
Name: roleName,
353+
Name: fmt.Sprintf("%s-%s", roleName, ns),
351354
Namespace: ns,
352355
},
353356
Rules: policyRules,

pkg/rbac/testdata/controller.go

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,3 +37,5 @@ package controller
3737
// +kubebuilder:rbac:groups=core;"";some-other-to-deduplicate-with-core,resources=me,verbs=list;get
3838
// +kubebuilder:rbac:groups=deduplicate-groups5,resources=abc,verbs=get;update;patch;create,namespace=here
3939
// +kubebuilder:rbac:groups=deduplicate-groups5,resources=abc,verbs=*,namespace=here
40+
// +kubebuilder:rbac:groups=apps,namespace=infrastructure,resources=deployments,verbs=get;list;watch;update;patch
41+
// +kubebuilder:rbac:groups="",namespace=users,resources=secrets,verbs=get;list;watch

pkg/rbac/testdata/role.yaml

Lines changed: 35 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -132,7 +132,7 @@ rules:
132132
apiVersion: rbac.authorization.k8s.io/v1
133133
kind: Role
134134
metadata:
135-
name: manager-role
135+
name: manager-role-here
136136
namespace: here
137137
rules:
138138
- apiGroups:
@@ -145,7 +145,24 @@ rules:
145145
apiVersion: rbac.authorization.k8s.io/v1
146146
kind: Role
147147
metadata:
148-
name: manager-role
148+
name: manager-role-infrastructure
149+
namespace: infrastructure
150+
rules:
151+
- apiGroups:
152+
- apps
153+
resources:
154+
- deployments
155+
verbs:
156+
- get
157+
- list
158+
- patch
159+
- update
160+
- watch
161+
---
162+
apiVersion: rbac.authorization.k8s.io/v1
163+
kind: Role
164+
metadata:
165+
name: manager-role-park
149166
namespace: park
150167
rules:
151168
- apiGroups:
@@ -158,7 +175,22 @@ rules:
158175
apiVersion: rbac.authorization.k8s.io/v1
159176
kind: Role
160177
metadata:
161-
name: manager-role
178+
name: manager-role-users
179+
namespace: users
180+
rules:
181+
- apiGroups:
182+
- ""
183+
resources:
184+
- secrets
185+
verbs:
186+
- get
187+
- list
188+
- watch
189+
---
190+
apiVersion: rbac.authorization.k8s.io/v1
191+
kind: Role
192+
metadata:
193+
name: manager-role-zoo
162194
namespace: zoo
163195
rules:
164196
- apiGroups:
@@ -168,4 +200,3 @@ rules:
168200
- jobs
169201
verbs:
170202
- get
171-

pkg/rbac/zz_generated.markerhelp.go

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)