Skip to content

add k8s rbac & project api #320

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mysekai7 wants to merge 1 commit into
base: master
Choose a base branch
from
Open

add k8s rbac & project api #320

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions docs/en/apis/kubernetes_apis/connector/connector.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# Connector [dex.coreos.com/v1]

<OpenAPIPath path="/apis/dex.coreos.com/v1/namespaces/{namespace}/connectors" />

<OpenAPIPath path="/apis/dex.coreos.com/v1/namespaces/{namespace}/connectors/{name}" />
6 changes: 6 additions & 0 deletions docs/en/apis/kubernetes_apis/connector/index.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
---
---

# Connector APIs

<Overview overviewHeaders={[]} />
6 changes: 6 additions & 0 deletions docs/en/apis/kubernetes_apis/project/index.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
---
---

# Project APIs

<Overview overviewHeaders={[]} />
6 changes: 6 additions & 0 deletions docs/en/apis/kubernetes_apis/project/project.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
# Project [auth.alauda.io/v1]
<OpenAPIPath path="/apis/auth.alauda.io/v1/projects" />

<OpenAPIPath path="/apis/auth.alauda.io/v1/projects/{name}" />

<K8sCrd name="projects.auth.alauda.io" />
Comment on lines +1 to +6
Copy link
Contributor

@coderabbitai coderabbitai bot Nov 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Verify corresponding CRD file exists for projects.auth.alauda.io.

Line 6 references a CRD declaration for projects.auth.alauda.io, but the corresponding CRD YAML file is not included in this PR for review. Ensure docs/shared/crds/auth.alauda.io_projects.yaml exists and is properly formatted.

🏁 Script executed:

#!/bin/bash
# Verify the Project CRD file exists and is valid YAML
fd -e yaml docs/shared/crds | grep -i project
cat docs/shared/crds/auth.alauda.io_projects.yaml 2>/dev/null | head -20

Length of output: 369

🏁 Script executed:

#!/bin/bash
# Verify the Project CRD file exists using corrected fd syntax
echo "=== Searching for Project CRD files ==="
fd --full-path 'auth.alauda.io_projects.yaml' docs/shared/crds 2>/dev/null

echo "=== Checking if docs/shared/crds directory exists ==="
ls -la docs/shared/crds 2>&1 | head -30

echo "=== Listing all YAML files in CRDs directory ==="
fd . docs/shared/crds -e yaml 2>&1 | head -20

Length of output: 2568

The CRD file for projects.auth.alauda.io is missing.

Line 6 references <K8sCrd name="projects.auth.alauda.io" />, but the corresponding CRD YAML file docs/shared/crds/auth.alauda.io_projects.yaml does not exist in the repository. The docs/shared/crds/ directory contains 16 CRD files, including auth.alauda.io_users.yaml, but no projects CRD. Either create the missing CRD file or remove the K8sCrd reference if it is not yet implemented.

🤖 Prompt for AI Agents 
In docs/en/apis/kubernetes_apis/project/project.mdx around lines 1-6, the page
references a CRD via <K8sCrd name="projects.auth.alauda.io" /> but the
corresponding YAML file docs/shared/crds/auth.alauda.io_projects.yaml is
missing; either add that CRD YAML to docs/shared/crds/ (matching naming
convention and contents of other CRDs) and commit it, or remove/replace the
<K8sCrd ... /> tag from this MDX if the CRD is not ready, ensuring the page
builds without broken references.

5 changes: 5 additions & 0 deletions docs/en/apis/kubernetes_apis/rbac/clusterrole.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# ClusterRole [rbac.authorization.k8s.io/v1]

<OpenAPIPath path="/apis/rbac.authorization.k8s.io/v1/clusterroles" pathPrefix="/kubernetes/{cluster}" />

<OpenAPIPath path="/apis/rbac.authorization.k8s.io/v1/clusterroles/{name}" pathPrefix="/kubernetes/{cluster}" />
5 changes: 5 additions & 0 deletions docs/en/apis/kubernetes_apis/rbac/clusterrolebinding.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# ClusterRoleBinding [rbac.authorization.k8s.io/v1]

<OpenAPIPath path="/apis/rbac.authorization.k8s.io/v1/clusterrolebindings" pathPrefix="/kubernetes/{cluster}" />

<OpenAPIPath path="/apis/rbac.authorization.k8s.io/v1/clusterrolebindings/{name}" pathPrefix="/kubernetes/{cluster}" />
6 changes: 6 additions & 0 deletions docs/en/apis/kubernetes_apis/rbac/index.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
---
---

# RBAC APIs

<Overview overviewHeaders={[]} />
5 changes: 5 additions & 0 deletions docs/en/apis/kubernetes_apis/rbac/role.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# Role [rbac.authorization.k8s.io/v1]

<OpenAPIPath path="/apis/rbac.authorization.k8s.io/v1/namespaces/{namespace}/roles" pathPrefix="/kubernetes/{cluster}" />

<OpenAPIPath path="/apis/rbac.authorization.k8s.io/v1/namespaces/{namespace}/roles/{name}" pathPrefix="/kubernetes/{cluster}" />
5 changes: 5 additions & 0 deletions docs/en/apis/kubernetes_apis/rbac/rolebinding.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# RoleBinding [rbac.authorization.k8s.io/v1]

<OpenAPIPath path="/apis/rbac.authorization.k8s.io/v1/namespaces/{namespace}/rolebindings" pathPrefix="/kubernetes/{cluster}" />

<OpenAPIPath path="/apis/rbac.authorization.k8s.io/v1/namespaces/{namespace}/rolebindings/{name}" pathPrefix="/kubernetes/{cluster}" />
6 changes: 6 additions & 0 deletions docs/en/apis/kubernetes_apis/serviceaccount/index.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
---
---

# ServiceAccount APIs

<Overview overviewHeaders={[]} />
5 changes: 5 additions & 0 deletions docs/en/apis/kubernetes_apis/serviceaccount/serviceaccount.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# ServiceAccount [v1]

<OpenAPIPath path="/api/v1/namespaces/{namespace}/serviceaccounts" pathPrefix="/kubernetes/{cluster}" />

<OpenAPIPath path="/api/v1/namespaces/{namespace}/serviceaccounts/{name}" pathPrefix="/kubernetes/{cluster}" />
6 changes: 6 additions & 0 deletions docs/en/apis/kubernetes_apis/user/index.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
---
---

# User APIs

<Overview overviewHeaders={[]} />
6 changes: 6 additions & 0 deletions docs/en/apis/kubernetes_apis/user/user.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
# User [auth.alauda.io/v1]
<OpenAPIPath path="/apis/auth.alauda.io/v1/users" />

<OpenAPIPath path="/apis/auth.alauda.io/v1/users/{name}" />

<K8sCrd name="users.auth.alauda.io" />
161 changes: 161 additions & 0 deletions docs/shared/crds/auth.alauda.io_users.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,161 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.9.2
name: users.auth.alauda.io
spec:
conversion:
strategy: None
group: auth.alauda.io
names:
kind: User
listKind: UserList
plural: users
singular: user
scope: Cluster
versions:
- additionalPrinterColumns:
- jsonPath: .spec.connector_type
name: Type
type: string
- jsonPath: .spec.email
name: Username
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1
schema:
openAPIV3Schema:
description: User is the Schema for the users API
properties:
apiVersion:
description: "APIVersion defines the versioned schema of this representation of
an object. Servers should convert recognized schemas to the
latest internal value, and may reject unrecognized values. More
info:
https://git.k8s.io/community/contributors/devel/sig-architectur\
e/api-conventions.md#resources"
type: string
kind:
description: "Kind is a string value representing the REST resource this object
represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info:
https://git.k8s.io/community/contributors/devel/sig-architectur\
e/api-conventions.md#types-kinds"
type: string
metadata:
type: object
spec:
description: UserSpec defines the desired state of User
properties:
account:
type: string
connector_id:
type: string
connector_name:
type: string
connector_type:
description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
Important: Run "make" to regenerate code after modifying
this file'
type: string
continuity_errors:
type: integer
email:
type: string
expired:
description: Expired ...
properties:
begin:
format: date-time
type: string
end:
format: date-time
type: string
required:
- begin
- end
type: object
extra:
description: Extra contains additional arbitrary metadata for the user from
third-party systems
type: object
x-kubernetes-preserve-unknown-fields: true
Comment on lines +82 to +85
Copy link
Contributor

@coderabbitai coderabbitai bot Nov 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Broad use of x-kubernetes-preserve-unknown-fields at multiple levels.

The CRD uses x-kubernetes-preserve-unknown-fields: true at both the spec level (line 85) and root level (line 134). While this enables flexibility for third-party integrations (noted in the extra field comment), it also:

  • Allows arbitrary fields that may mask schema validation issues
  • Increases the risk of unintended data acceptance
  • Makes schema evolution harder to track

Consider narrowing the preserve-unknown-fields scope to only the extra field if possible, or document the rationale for the broader application.

Also applies to: 134-134

groups:
items:
type: string
type: array
ids:
items:
properties:
id:
type: string
type:
type: string
required:
- id
- type
type: object
type: array
is_admin:
type: boolean
is_disabled:
type: boolean
last_login_time:
type: string
mail:
type: string
mobile:
type: string
old_password:
type: string
password:
type: string
Comment on lines +112 to +115
Copy link
Contributor

@coderabbitai coderabbitai bot Nov 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

⚠️ Security concern: Plain-text password fields in CRD spec.

The password and old_password fields are stored as plain strings in the User resource spec. Kubernetes resources are persisted in etcd by default, which is not the appropriate place for credential storage. Credentials should be managed via Kubernetes Secrets.

Consider:

  1. Removing password fields from the spec and managing them separately via Secrets.
  2. If passwords must be included, ensure etcd encryption and access controls are strictly configured.
  3. Document the security implications and expected access restrictions.

state:
description: State is User's State
type: string
username:
type: string
valid:
type: boolean
webhookType:
type: string
webhookUrl:
type: string
required:
- connector_name
- connector_type
- email
- is_admin
- username
type: object
x-kubernetes-preserve-unknown-fields: true
status:
description: UserStatus defines the observed state of User
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: User
listKind: UserList
plural: users
singular: user
conditions:
- lastTransitionTime: 2025-11-06T16:16:25Z
message: no conflicts found
reason: NoConflicts
status: "True"
type: NamesAccepted
- lastTransitionTime: 2025-11-06T16:16:25Z
message: the initial names have been accepted
reason: InitialNamesAccepted
status: "True"
type: Established
storedVersions:
- v1
Loading