feat: Add RBAC feature gate support

- Add featureGate parameter to +kubebuilder:rbac marker
- Enable conditional RBAC rule generation based on feature gates
- Add FeatureGate field to Rule struct and Generator struct
- Implement feature gate parsing and filtering logic
- Update GenerateRoles function to accept feature gates parameter
- Add comprehensive test suite for feature gate functionality
- Maintain backward compatibility with existing RBAC generation

Example usage:
// +kubebuilder:rbac:featureGate=alpha,groups=apps,resources=deployments,verbs=get;list
controller-gen 'rbac:roleName=manager,featureGates="alpha=true,beta=false"' paths=./...

Author: wazery

pkg/rbac/feature_gates_test.go

@@ -0,0 +1,103 @@
+package rbac
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/onsi/gomega"
+	"sigs.k8s.io/controller-tools/pkg/genall"
+	"sigs.k8s.io/controller-tools/pkg/loader"
+	"sigs.k8s.io/controller-tools/pkg/markers"
+	rbacv1 "k8s.io/api/rbac/v1"
+)
+
+func TestFeatureGates(t *testing.T) {
+	g := gomega.NewWithT(t)
+
+	// Load test packages
+	pkgs, err := loader.LoadRoots("./testdata/feature_gates")
+	g.Expect(err).NotTo(gomega.HaveOccurred())
+
+	// Set up generation context
+	reg := &markers.Registry{}
+	g.Expect(reg.Register(RuleDefinition)).To(gomega.Succeed())
+	
+	ctx := &genall.GenerationContext{
+		Collector: &markers.Collector{Registry: reg},
+		Roots:     pkgs,
+	}
+
+	tests := []struct {
+		name           string
+		featureGates   string
+		expectedRules  int
+		shouldContain  []string
+		shouldNotContain []string
+	}{
+		{
+			name:         "no feature gates",
+			featureGates: "",
+			expectedRules: 2, // only always-on rules
+			shouldContain: []string{"pods", "configmaps"},
+			shouldNotContain: []string{"deployments", "ingresses"},
+		},
+		{
+			name:         "alpha enabled",
+			featureGates: "alpha=true",
+			expectedRules: 3, // always-on + alpha
+			shouldContain: []string{"pods", "configmaps", "deployments"},
+			shouldNotContain: []string{"ingresses"},
+		},
+		{
+			name:         "beta enabled", 
+			featureGates: "beta=true",
+			expectedRules: 3, // always-on + beta
+			shouldContain: []string{"pods", "configmaps", "ingresses"},
+			shouldNotContain: []string{"deployments"},
+		},
+		{
+			name:         "both enabled",
+			featureGates: "alpha=true,beta=true",
+			expectedRules: 4, // all rules
+			shouldContain: []string{"pods", "configmaps", "deployments", "ingresses"},
+			shouldNotContain: []string{},
+		},
+		{
+			name:         "alpha enabled beta disabled",
+			featureGates: "alpha=true,beta=false",
+			expectedRules: 3, // always-on + alpha
+			shouldContain: []string{"pods", "configmaps", "deployments"},
+			shouldNotContain: []string{"ingresses"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			g := gomega.NewWithT(t)
+			
+			objs, err := GenerateRoles(ctx, "test-role", tt.featureGates)
+			g.Expect(err).NotTo(gomega.HaveOccurred())
+			g.Expect(objs).To(gomega.HaveLen(1))
+
+			role, ok := objs[0].(rbacv1.ClusterRole)
+			g.Expect(ok).To(gomega.BeTrue())
+			g.Expect(role.Rules).To(gomega.HaveLen(tt.expectedRules))
+
+			// Convert rules to string for easier checking
+			rulesStr := ""
+			for _, rule := range role.Rules {
+				rulesStr += strings.Join(rule.Resources, ",") + " "
+			}
+
+			for _, resource := range tt.shouldContain {
+				g.Expect(rulesStr).To(gomega.ContainSubstring(resource), 
+					"Expected resource %s to be present", resource)
+			}
+
+			for _, resource := range tt.shouldNotContain {
+				g.Expect(rulesStr).NotTo(gomega.ContainSubstring(resource),
+					"Expected resource %s to be absent", resource)
+			}
+		})
+	}
+}

pkg/rbac/parser.go

@@ -60,6 +60,10 @@ type Rule struct {
 	// If not set, the Rule belongs to the generated ClusterRole.
 	// If set, the Rule belongs to a Role, whose namespace is specified by this field.
 	Namespace string `marker:",optional"`
+	// FeatureGate specifies the feature gate that controls this RBAC rule.
+	// If not set, the rule is always included.
+	// If set, the rule is only included when the specified feature gate is enabled.
+	FeatureGate string `marker:"featureGate,optional"`
 }
 
 // ruleKey represents the resources and non-resources a Rule applies.
@@ -169,6 +173,10 @@ type Generator struct {
 
 	// Year specifies the year to substitute for " YEAR" in the header file.
 	Year string `marker:",optional"`
+
+	// FeatureGates is a comma-separated list of feature gates to enable (e.g., "alpha=true,beta=false").
+	// Only RBAC rules with matching feature gates will be included in the generated output.
+	FeatureGates string `marker:",optional"`
 }
 
 func (Generator) RegisterMarkers(into *markers.Registry) error {
@@ -179,9 +187,46 @@ func (Generator) RegisterMarkers(into *markers.Registry) error {
 	return nil
 }
 
+// FeatureGateMap represents enabled feature gates as a map for efficient lookup
+type FeatureGateMap map[string]bool
+
+// parseFeatureGates parses a comma-separated feature gate string into a map
+// Format: "gate1=true,gate2=false,gate3=true"
+func parseFeatureGates(featureGates string) FeatureGateMap {
+	gates := make(FeatureGateMap)
+	if featureGates == "" {
+		return gates
+	}
+
+	pairs := strings.Split(featureGates, ",")
+	for _, pair := range pairs {
+		parts := strings.Split(strings.TrimSpace(pair), "=")
+		if len(parts) != 2 {
+			continue
+		}
+		gateName := strings.TrimSpace(parts[0])
+		gateValue := strings.TrimSpace(parts[1])
+		gates[gateName] = gateValue == "true"
+	}
+	return gates
+}
+
+// shouldIncludeRule determines if an RBAC rule should be included based on feature gates
+func shouldIncludeRule(rule *Rule, enabledGates FeatureGateMap) bool {
+	if rule.FeatureGate == "" {
+		// No feature gate specified, always include
+		return true
+	}
+
+	// Check if the feature gate is enabled
+	enabled, exists := enabledGates[rule.FeatureGate]
+	return exists && enabled
+}
+
 // GenerateRoles generate a slice of objs representing either a ClusterRole or a Role object
 // The order of the objs in the returned slice is stable and determined by their namespaces.
-func GenerateRoles(ctx *genall.GenerationContext, roleName string) ([]interface{}, error) {
+func GenerateRoles(ctx *genall.GenerationContext, roleName string, featureGates string) ([]interface{}, error) {
+	enabledGates := parseFeatureGates(featureGates)
 	rulesByNSResource := make(map[string][]*Rule)
 	for _, root := range ctx.Roots {
 		markerSet, err := markers.PackageMarkers(ctx.Collector, root)
@@ -192,6 +237,12 @@ func GenerateRoles(ctx *genall.GenerationContext, roleName string) ([]interface{
 		// group RBAC markers by namespace and separate by resource
 		for _, markerValue := range markerSet[RuleDefinition.Name] {
 			rule := markerValue.(Rule)
+			
+			// Apply feature gate filtering
+			if !shouldIncludeRule(&rule, enabledGates) {
+				continue
+			}
+			
 			if len(rule.Resources) == 0 {
 				// Add a rule without any resource if Resources is empty.
 				r := Rule{
@@ -201,6 +252,7 @@ func GenerateRoles(ctx *genall.GenerationContext, roleName string) ([]interface{
 					URLs:          rule.URLs,
 					Namespace:     rule.Namespace,
 					Verbs:         rule.Verbs,
+					FeatureGate:   rule.FeatureGate,
 				}
 				namespace := r.Namespace
 				rulesByNSResource[namespace] = append(rulesByNSResource[namespace], &r)
@@ -214,6 +266,7 @@ func GenerateRoles(ctx *genall.GenerationContext, roleName string) ([]interface{
 					URLs:          rule.URLs,
 					Namespace:     rule.Namespace,
 					Verbs:         rule.Verbs,
+					FeatureGate:   rule.FeatureGate,
 				}
 				namespace := r.Namespace
 				rulesByNSResource[namespace] = append(rulesByNSResource[namespace], &r)
@@ -367,7 +420,7 @@ func GenerateRoles(ctx *genall.GenerationContext, roleName string) ([]interface{
 }
 
 func (g Generator) Generate(ctx *genall.GenerationContext) error {
-	objs, err := GenerateRoles(ctx, g.RoleName)
+	objs, err := GenerateRoles(ctx, g.RoleName, g.FeatureGates)
 	if err != nil {
 		return err
 	}

pkg/rbac/parser_integration_test.go

@@ -42,7 +42,7 @@ var _ = Describe("ClusterRole generated by the RBAC Generator", func() {
 			}
 
 			By("generating a ClusterRole")
-			objs, err := rbac.GenerateRoles(ctx, "manager-role")
+			objs, err := rbac.GenerateRoles(ctx, "manager-role", "")
 			Expect(err).NotTo(HaveOccurred())
 
 			By("loading the desired YAML")

pkg/rbac/testdata/feature_gates/controller.go

@@ -0,0 +1,17 @@
+package testdata
+
+// Always included RBAC rule
+// +kubebuilder:rbac:groups="",resources=pods,verbs=get;list;watch
+
+// Another always included rule
+// +kubebuilder:rbac:groups="",resources=configmaps,verbs=get;list
+
+// Alpha feature gate RBAC rule
+// +kubebuilder:rbac:featureGate=alpha,groups=apps,resources=deployments,verbs=get;list;create;update;delete
+
+// Beta feature gate RBAC rule  
+// +kubebuilder:rbac:featureGate=beta,groups=extensions,resources=ingresses,verbs=get;list;create;update;delete
+
+func main() {
+	// Test file for RBAC feature gates
+}