Skip to content

UserConfig CRD: Groups and Labels Not Reflected in RoleBindings and Namespace Metadata #1

New issue
New issue
Closed as not planned
Closed as not planned
UserConfig CRD: Groups and Labels Not Reflected in RoleBindings and Namespace Metadata#1
Labels
bugSomething isn't workinghelp wantedExtra attention is neededstale
@RajivBB

Description

@RajivBB
RajivBB
opened on Apr 16, 2025

Description:

We’ve observed that the UserConfig custom resource includes fields for groups and labels, but these do not seem to be reflected in the operator's actual Kubernetes resources.

Expected Behavior

  • Groups:
    When a groups field is defined in the UserConfig, we expect the operator to create a RoleBinding with subjects of kind: Group.

Example:

subjects:
- kind: Group
  name: developers
  apiGroup: rbac.authorization.k8s.io
  • Labels:
    Labels specified under identity.labels should be propagated to relevant Kubernetes resources, such as:
- Namespace
- ResourceQuota
- LimitRange
- Role/RoleBinding

Current Behavior

  • The RoleBinding only includes:
   kind: User
   kind: ServiceAccount
  • The namespace does not include any of the identity-defined labels (e.g. dev-1, department-engineering).

Steps to Reproduce

  1. Create a UserConfig with groups and labels specified.
  2. Observe that:
    • RoleBinding does not include any group subjects.
    • Namespace metadata does not include custom labels.

Suggested Fix

  • Enhance the operator to:
    • Append groups from the UserConfig into the RoleBinding subjects.
    • Propagate labels under identity.labels to the Namespace and optionally other created resources.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workinghelp wantedExtra attention is neededstale

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions