Skip to content

feat(plugins): add optional consumer name to show consumer permissions#1455

Merged
devdattakulkarni merged 5 commits intocloud-ark:masterfrom
anniegracehu:consumer-permissions-plugin-accept-name
Feb 17, 2026
Merged

feat(plugins): add optional consumer name to show consumer permissions#1455
devdattakulkarni merged 5 commits intocloud-ark:masterfrom
anniegracehu:consumer-permissions-plugin-accept-name

Conversation

@anniegracehu
Copy link
Collaborator

@anniegracehu anniegracehu commented Feb 12, 2026
edited
Loading

Summary

Updates kubectl show consumer permissions to require both Namespace and ConsumerName, and aligns the plugin with the new namespace/consumer semantics for issue #1439.

Changes

kubectl-show-consumer-permissions

  • Require both parameters: Usage is now kubectl show consumer permissions <Namespace> <ConsumerName> — both are required.
  • No default consumer: Removes the default kubeplus-saas-consumer; callers must specify the consumer SA.
  • Namespace semantics: Namespace is the namespace where the consumer ServiceAccount lives (not limited to the KubePlus namespace).
  • Help text updated to describe two consumer types:
    1. Instance-creation consumer — SA that can create application instances (e.g. kubeplus-saas-consumer in the KubePlus namespace).
    2. Instance-scoped consumer — SA with access restricted to a specific instance namespace for debugging.

kubectl-kubeplus-commands

  • Help updated to show the new required usage.

kubeconfigretriever.py

  • Minor whitespace cleanup (from rebase).

Usage

Instance-creation consumer (built-in, lives in KubePlus namespace)

kubectl show consumer permissions default kubeplus-saas-consumer

Instance-scoped consumer for debugging (lives in instance namespace)

kubectl show consumer permissions team1mysql team1-debug

@anniegracehu anniegracehu self-assigned this Feb 12, 2026
devdattakulkarni
devdattakulkarni reviewed Feb 12, 2026
View reviewed changes
plugins/kubectl-show-consumer-permissions Outdated
echo "DESCRIPTION"
echo " kubectl show consumer permissions shows the permissions for kubeplus-saas-consumer service account in the namespace where kubeplus is installed."
echo " kubectl show consumer permissions shows the RBAC permissions for a consumer service account."
echo " Namespace is the namespace where KubePlus is installed (where the consumer service account lives)."
Copy link
Contributor

@devdattakulkarni devdattakulkarni Feb 12, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should change how we use the Namespace parameter. Till now we have only supported creating consumer service accounts in the same namespace where KubePlus is installed. But going forward, we want to support use cases of the following nature. Suppose as a Platform team, I have enabled CustomMySQLService on my cluster. Suppose team1 deploys an instance of this service (call it team1mysql). KubePlus will generate a namespace by this name corresponding to this instance. Now, suppose the Platform team wants to provide team1 access to this namespace. In this case, we want the Platform team to be able to create a service account in the "team1mysql" namespace. We should view the Namespace parameter from this lens.

devdattakulkarni
devdattakulkarni reviewed Feb 12, 2026
View reviewed changes
plugins/kubectl-show-consumer-permissions Outdated
echo " kubectl show consumer permissions shows the permissions for kubeplus-saas-consumer service account in the namespace where kubeplus is installed."
echo " kubectl show consumer permissions shows the RBAC permissions for a consumer service account."
echo " Namespace is the namespace where KubePlus is installed (where the consumer service account lives)."
echo " ConsumerName is optional; if omitted, defaults to kubeplus-saas-consumer."
Copy link
Contributor

@devdattakulkarni devdattakulkarni Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Given the above comment regarding Namespace, it would mean that the consumer name cannot be optional. If we keep it optional, then it will not be clear which specific consumer service account will be used. So let's not make this parameter optional.

@devdattakulkarni
Copy link
Contributor

devdattakulkarni commented Feb 12, 2026

It seems like we have two separate use-cases for consumer service accounts. 1) A consumer service account that has the permission to create an application instance. This account is not restricted to any namespace. 2) A consumer service account that has the permissions restricted to an application instance's namespace. This type of service account can be used for debugging purposes. We should accommodate for both these types of service accounts.

devdattakulkarni
devdattakulkarni reviewed Feb 12, 2026
View reviewed changes
devdattakulkarni
devdattakulkarni reviewed Feb 12, 2026
View reviewed changes
devdattakulkarni
devdattakulkarni reviewed Feb 12, 2026
View reviewed changes
@anniegracehu
feat(plugins): allow consumer name argument in show consumer permissions
269175d 
- Add optional ConsumerName parameter (defaults to kubeplus-saas-consumer)
- Supports custom consumers created via provider-kubeconfig.py -c (e.g. team1, team2)
- Update help text and kubectl-kubeplus-commands documentation
- Fixes cloud-ark#1091
@anniegracehu anniegracehu force-pushed the consumer-permissions-plugin-accept-name branch from 69cb169 to 269175d Compare February 12, 2026 18:48
devdattakulkarni
devdattakulkarni reviewed Feb 13, 2026
View reviewed changes
plugins/kubectl-show-consumer-permissions
}

if (( $# < 1 || $# >= 2)); then
if (( $# != 2)); then
Copy link
Contributor

@devdattakulkarni devdattakulkarni Feb 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

devdattakulkarni
devdattakulkarni requested changes Feb 13, 2026
View reviewed changes
Copy link
Contributor

@devdattakulkarni devdattakulkarni left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mostly looks good. I have only one more comment (see below). You can remove the draft status on the PR after you address the comment.

plugins/kubectl-kubeplus-commands Outdated
echo " kubectl upload chart"
echo " kubectl show provider permissions"
echo " kubectl show consumer permissions"
echo " kubectl show consumer permissions <Namespace> <ConsumerName>"
Copy link
Contributor

@devdattakulkarni devdattakulkarni Feb 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No need to include parameters here. This file (and the "kubectl kubeplus commands" command) just shows all the available commands. The details about individual command's parameters are defined in each command's file.
Also, if you notice, none of the other commands include parameters in this file.

@anniegracehu anniegracehu marked this pull request as ready for review February 17, 2026 04:44
devdattakulkarni
devdattakulkarni reviewed Feb 17, 2026
View reviewed changes
Copy link
Contributor

@devdattakulkarni devdattakulkarni left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good.

@devdattakulkarni devdattakulkarni merged commit 7095d42 into cloud-ark:master Feb 17, 2026
1 check passed
@anniegracehu anniegracehu deleted the consumer-permissions-plugin-accept-name branch February 17, 2026 20:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@devdattakulkarni devdattakulkarni devdattakulkarni requested changes

Assignees

@anniegracehu anniegracehu

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@anniegracehu @devdattakulkarni