Option to customize NamespaceTransfomer role binding subject handling

2026-06-13 10:00:56 +00:00 · 2022-07-08 14:18:25 -04:00
parent ab09d27ec7
commit 0c37ee89af
5 changed files with 400 additions and 57 deletions
--- a/api/internal/builtins/NamespaceTransformer.go
+++ b/api/internal/builtins/NamespaceTransformer.go
@@ -9,21 +9,37 @@ import (
 	"sigs.k8s.io/kustomize/api/filters/namespace"
 	"sigs.k8s.io/kustomize/api/resmap"
 	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/errors"
 	"sigs.k8s.io/yaml"
 )

 // Change or set the namespace of non-cluster level resources.
 type NamespaceTransformerPlugin struct {
-	types.ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
-	FieldSpecs       []types.FieldSpec `json:"fieldSpecs,omitempty" yaml:"fieldSpecs,omitempty"`
-	UnsetOnly        bool              `json:"unsetOnly" yaml:"unsetOnly"`
+	types.ObjectMeta       `json:"metadata,omitempty" yaml:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+	FieldSpecs             []types.FieldSpec                `json:"fieldSpecs,omitempty" yaml:"fieldSpecs,omitempty"`
+	UnsetOnly              bool                             `json:"unsetOnly" yaml:"unsetOnly"`
+	SetRoleBindingSubjects namespace.RoleBindingSubjectMode `json:"setRoleBindingSubjects" yaml:"setRoleBindingSubjects"`
 }

 func (p *NamespaceTransformerPlugin) Config(
 	_ *resmap.PluginHelpers, c []byte) (err error) {
 	p.Namespace = ""
 	p.FieldSpecs = nil
-	return yaml.Unmarshal(c, p)
+	if err := yaml.Unmarshal(c, p); err != nil {
+		return errors.WrapPrefixf(err, "unmarshalling NamespaceTransformer config")
+	}
+	switch p.SetRoleBindingSubjects {
+	case namespace.AllServiceAccountSubjects, namespace.DefaultSubjectsOnly, namespace.NoSubjects:
+		// valid
+	case namespace.SubjectModeUnspecified:
+		p.SetRoleBindingSubjects = namespace.DefaultSubjectsOnly
+	default:
+		return errors.Errorf("invalid value %q for setRoleBindingSubjects: "+
+			"must be one of %q, %q or %q", p.SetRoleBindingSubjects,
+			namespace.DefaultSubjectsOnly, namespace.NoSubjects, namespace.AllServiceAccountSubjects)
+	}
+
+	return nil
 }

 func (p *NamespaceTransformerPlugin) Transform(m resmap.ResMap) error {
@@ -37,9 +53,10 @@ func (p *NamespaceTransformerPlugin) Transform(m resmap.ResMap) error {
 		}
 		r.StorePreviousId()
 		if err := r.ApplyFilter(namespace.Filter{
-			Namespace: p.Namespace,
-			FsSlice:   p.FieldSpecs,
-			UnsetOnly: p.UnsetOnly,
+			Namespace:              p.Namespace,
+			FsSlice:                p.FieldSpecs,
+			SetRoleBindingSubjects: p.SetRoleBindingSubjects,
+			UnsetOnly:              p.UnsetOnly,
 		}); err != nil {
 			return err
 		}