This project is deprecated and is no longer actively maintained.
The Oria Operator provides tooling that allows cluster admins and operator authors to control which namespaces an operator reconciles resource events in.
The oria-operator
will introduce two cluster scoped CRDs, the ScopeTemplate
and ScopeInstance
.
The ScopeTemplate
CRD is used to define the RBAC needed by an operator. It basically allows one to define:
- A
ClusterRole
An example of a ScopeTemplate
CR can be seen below:
apiVersion: operators.io.operator-framework/v1
kind: ScopeTemplate
metadata:
name: scopetemplate-sample
spec:
clusterRoles:
- generateName: test
rules:
- apiGroups: [""]
# at the HTTP level, the name of the resource for accessing Secret
# objects is "secrets"
resources: ["secrets"]
verbs: ["get", "watch", "list"]
subjects:
- kind: Group
name: manager # Name is case sensitive
apiGroup: rbac.authorization.k8s.io
The reconciliation process will verify the below steps:
- It will check if any
ScopeInstance
CRs reference toScopeTemplate
name or not. - If it is referencing then the
ClusterRole
defined in theScopeTemplate
will be created if it does not exist. The createdClusterRole
will include an owner reference to theScopeTemplate
CR. - If no
ScopeInstance
references theScopeTemplate
, theClusterRole
defined in theScopeTemplate
will be deleted if it exists.
The ScopeInstance
CRD is used to define a list of namespaces
that the RBAC in a ScopeTemplate
will be created in. A cluster admin will create the ScopeInstance
CR and will specify:
- The name of a
ScopeTemplate
which defines the RBAC required by the operator - A set of namespaces that the operator should be scoped to. An empty set of namespaces is equivalent to specifying all namespaces.
apiVersion: operators.io.operator-framework/v1
kind: ScopeInstance
metadata:
name: scopeinstance-sample
spec:
scopeTemplateName: scopetemplate-sample
namespaces:
- default
The reconciliation process will verify the below steps:
- It will look for
ScopeTemplate
thatScopeInstance
is referencing. if it is not referencing then throw an error with the appropriate message. - If it is referencing and if the
namespaces
array is empty, a singleClusterRoleBinding
will be created. Otherwise, aRoleBinding
will be created in each of thenamespaces
. These resources will include an owner reference to theScopeInstance
CR.
To install the latest release of oria-operator
, run:
kubectl apply -f https://github.com/operator-framework/oria-operator/releases/latest/download/oria-operator.yaml
To install a specific release of oria-operator
, run:
ORIA_VERSION=vX.Y.Z; kubectl apply -f https://github.com/operator-framework/oria-operator/releases/download/$ORIA_VERSION/oria-operator.yaml
First, install newly created ScopeInstance
and ScopeTemplate
CRs
make install
It will create CRDs and log the below message
customresourcedefinition.apiextensions.k8s.io/scopeinstances.operators.io.operator-framework created
customresourcedefinition.apiextensions.k8s.io/scopetemplates.operators.io.operator-framework created
Then, run the oria-operator
with below command and apply ScopeInstance
and ScopeTemplate
CRDs
make run
Apply ScopeTemplate
CRD as below. This will create a ScopeTemplate
with the name scopetemplate-sample
.
$ kubectl apply -f config/samples/operators_v1_scopetemplate.yaml
scopetemplate.operators.io.operator-framework/scopetemplate-sample created
Now, create ScopeInstance
CRD as below. This will create a ScopeInstance
with the name scopeinstance-sample
that references the ScopeTemplate
created in the previous step.
$ kubectl apply -f config/samples/operators_v1_scopeinstance.yaml
scopeinstance.operators.io.operator-framework/scopeinstance-sample created
Once scopeinstance-sample
is created, it will trigger the reconciliation process of ScopeTemplate
and ScopeInstance
controllers.
ScopeInstance
reconciliation process will create (Cluster)RoleBinding
as defined in CR.
$ kubectl get clusterroles
NAME CREATED AT
test 2022-09-20T18:39:32Z
ScopeInstance
reconciliation process will create (Cluster)RoleBinding
s as defined in CRD.
$ kubectl get rolebindings --all-namespaces
NAMESPACE NAME ROLE AGE
default test-x8hdc ClusterRole/test 33m
Now, let's update the ScopeInstance
with a new namespace. Create the test
namespace with:
$ kubectl create namespace test
namespace/test created
Update the ScopeInstance
to look similar to:
apiVersion: operators.io.operator-framework/v1
kind: ScopeInstance
metadata:
name: scopeinstance-sample
spec:
scopeTemplateName: scopetemplate-sample
namespaces:
- default
- test
$ kubectl apply -f config/samples/operators_v1_scopeinstance.yaml
scopeinstance.operators.io.operator-framework/scopeinstance-sample configured
Now, verify that there is a RoleBinding
created in both namespaces:
$ kubectl get rolebindings --all-namespaces
NAMESPACE NAME ROLE AGE
default test-x8hdc ClusterRole/test 37m
test test-64hk7 ClusterRole/test 80s
Now, update the ScopeInstance
and remove the default
namespace from it:
apiVersion: operators.io.operator-framework/v1
kind: ScopeInstance
metadata:
name: scopeinstance-sample
spec:
scopeTemplateName: scopetemplate-sample
namespaces:
- test
$ kubectl apply -f config/samples/operators_v1_scopeinstance.yaml
scopeinstance.operators.io.operator-framework/scopeinstance-sample configured
Verify that the RoleBinding
in the default
namespace is removed but the RoleBinding
in the test
namespace still exists:
NAMESPACE NAME ROLE AGE
test test-64hk7 ClusterRole/test 2m45s
In the end, remove all namespaces from the ScopeInstance
and verify that it creates a ClusterRoleBinding
and removes any associated RoleBinding
s:
apiVersion: operators.io.operator-framework/v1
kind: ScopeInstance
metadata:
name: scopeinstance-sample
spec:
scopeTemplateName: scopetemplate-sample
$ kubectl apply -f config/samples/operators_v1_scopeinstance.yaml
scopeinstance.operators.io.operator-framework/scopeinstance-sample configured
Verify RoleBinding
s are removed:
$ kubectl get rolebindings --all-namespaces
No resources found
Verify ClusterRoleBinding
is created:
$ kubectl get clusterrolebindings
NAME ROLE AGE
test-mskl2 ClusterRole/test 50s
For contributing guidelines, see the CONTRIBUTING.md file.
Oria Operator is under Apache 2.0 license. See the LICENSE file for details.