CRD support in k8s resource mapping

[creack]

Support CRD in kubernetes resources for roles.

Removes the validation on the kind field to allow for arbitrary resources.
To avoid changing the model, the api group/version are added to the kind field.
Enable support for cluster-wide resources.
Update role editor to support CRDs

changelog: Add support for CRDs in kubernetes_resources for roles.

Example

kube-access teleport role:

---
kind: role
metadata:
  name: kube-access
version: v7
spec:
  allow:
    kubernetes_labels:
      'region': '*'
      'platform': 'kind'
    kubernetes_resources:
      - kind: pod
        namespace: "production"
        name: "^webapp-[a-z0-9-]+$"
        verbs: ["get", "watch", "list"]
      - kind: stable.example.com/v1/crontabs
        namespace: "production"
        name: "*"
        verbs: ["*"]
      - kind: '*'
        namespace: "development"
        name: "*"
        verbs: ["*"]
    kubernetes_groups:
    - developers
    kubernetes_users:
    - minikube
  deny: {}

clusterrolebinding:

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: pod-viewer
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: pod-viewer
subjects:
- kind: Group
  name: developers
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: pod-viewer
  apiGroup: rbac.authorization.k8s.io

NS:

---
apiVersion: v1
kind: Namespace
metadata:
  name: development
  labels:
    name: development
---
apiVersion: v1
kind: Namespace
metadata:
  name: production
  labels:
    name: production

CRD:

---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  # Name must match the spec fields below, and be in the form: <plural>.<group>
  name: crontabs.stable.example.com
spec:
  # group name to use for REST API: /apis/<group>/<version>
  group: stable.example.com
  # list of versions supported by this CustomResourceDefinition
  versions:
    - name: v1
      # Each version can be enabled/disabled by Served flag.
      served: true
      # One and only one version must be marked as the storage version.
      storage: true
      schema:
        openAPIV3Schema:
          type: object
          properties:
            spec:
              type: object
              properties:
                cronSpec:
                  type: string
                image:
                  type: string
                replicas:
                  type: integer
  # either Namespaced or Cluster
  scope: Namespaced
  names:
    # plural name to be used in the URL: /apis/<group>/<version>/<plural>
    plural: crontabs
    # singular name to be used as an alias on the CLI and for display
    singular: crontab
    # kind is normally the CamelCased singular type. Your resource manifests use this.
    kind: CronTab
    # shortNames allow shorter string to match your resource on the CLI
    shortNames:
    - ct
---
apiVersion: "stable.example.com/v1"
kind: CronTab
metadata:
  name: my-new-cron-object-dev
  namespace: development
spec:
  cronSpec: "* * * * */5"
  image: my-awesome-cron-image
---
apiVersion: "stable.example.com/v1"
kind: CronTab
metadata:
  name: my-new-cron-object-prod
  namespace: production
spec:
  cronSpec: "* * * * */5"
  image: my-awesome-cron-image

CronTab

---
apiVersion: "stable.example.com/v1"
kind: CronTab
metadata:
  name: my-new-cron-object-prod-2
  namespace: production
spec:
  cronSpec: "* * * * */5"
  image: my-awesome-cron-image

[shia-raiffeisen]

As far as I've investigated into this topic myself, I've discovered usage of the Kubenetes runtime with basic Scheme. Meaning, if we want to support CRDs we need to use client with extended scheme and api group

[github-actions]

Amplify deployment status

Branch	Commit	Job ID	Status	Preview	Updated (UTC)
creack/k8s-crds-mapping	427df91	3	✅SUCCEED	creack-k8s-crds-mapping	2025-02-09 18:40:44