IAM controller - rename role

aws-controllers-k8s / community

AWS Controllers for Kubernetes (ACK) is a project enabling you to manage AWS services from Kubernetes

https://aws-controllers-k8s.github.io/community/

Apache License 2.0

2.38k stars 252 forks source link

IAM controller - rename role #1858

Open gecube opened 1 year ago

gecube commented 1 year ago

The IAM controller implements the Role kind in iam.services.k8s.aws API group. The issue is that the short name for the object is 'role' and it is overridden by Role from rbac.authorization.k8s.io from standard Kubernetes API. It effectively means that I can't get the Roles from iam.services.k8s.aws API group as when I am requesting kubectl get roles -A I will get only classic k8s roles, not the ack iam one's.

What would I like to ask - rename Role served by IAM controller to something different like IAMRole to make available them via kubectl get request.

Probably the same could apply to different Kinds served by other ACK controllers, but it was the most obvious example.

acornett21 commented 1 year ago

Hi @gecube thanks for the issue! The ACK controllers keep a one-to-one mapping for the API Group name to the CustomResourceDefinition (CRD) name. The issue you describe isn't unique to ACK or CRD's, since the KIND of GROUP.VERSION.KIND of CRD's can overlap. If you do kubectl get crd you should see existing overlap of some resources.

If you want to search for ACK resources, you should query with the group and kind for example: kubectl get roles.iam.services.k8s.aws -A

Hope all this helps.

gecube commented 1 year ago

@acornett21 Hi! Thanks for shedding the light on it. What is misleading is that I see the same "roles" kind in the output:

kubectl api-resources | grep roles
roles                                                                iam.services.k8s.aws/v1alpha1            true         Role
clusterroles                                                         rbac.authorization.k8s.io/v1             false        ClusterRole
roles                                                                rbac.authorization.k8s.io/v1             true         Role
teleportroles                                                        resources.teleport.dev/v6                true         TeleportRole

I understand that there is no uniqueness requirement between different API groups. The very same is happening with "clusters":

kubectl api-resources | grep clusters
clusters                                                             eks.services.k8s.aws/v1alpha1            true         Cluster
clusters                                                             kafka.services.k8s.aws/v1alpha1          true         Cluster
clusters                                                             memorydb.services.k8s.aws/v1alpha1       true         Cluster
dbclusters                                                           rds.services.k8s.aws/v1alpha1            true         DBCluster
globalclusters                                                       rds.services.k8s.aws/v1alpha1            true         GlobalCluster

I will be really very happy if I could get all ack-related resources by short name and not by specifying the whole name <kind>.<group>

acornett21 commented 1 year ago

I could get all ack-related resources by short name and not by specifying the whole name

I don't think this will be possible, for two reasons:

A good amount of the controllers are GA, and a change now would break existing users.
As mentioned earlier, ACK maintains a one-to-one name with as the AWS API provides.

I'll let others chime in on their thoughts. @a-hilaly @RedbackThomson Any thoughts from you all?

a-hilaly commented 1 year ago

The code-generator supports injecting shortnames for specific CRDs like https://github.com/aws-controllers-k8s/prometheusservice-controller/blob/2e3371210de55ac0e1bc011665579df77c0fcfff/generator.yaml#L27-L28. (which still keeps the original name but adds more aliases)

But I agree that, it is not really possible to do anything with duplicated CRD names/kinds. @gecube what do you suggest as shortnames for the roles/cluster names for example?

gecube commented 1 year ago

@a-hilaly Hi! Thanks for reaching me. I think that all shortname must be as unique as possible and as self-descriptive as possible.

For example.

eks.services.k8s.aws/v1alpha1 clusters -> EKSCluster, short name eksclusters iam.services.k8s.aws/v1alpha1 roles -> IAMRole, short name iamroles memorydb.services.k8s.aws/v1alpha1 clusters -> MemoryDBCluster, short name memorydbclusters

At least, I think it is not late to do it, because otherwise we will stick to the original ones...

ack-bot commented 7 months ago

Issues go stale after 180d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 60d of inactivity and eventually close. If this issue is safe to close now please do so with /close. Provide feedback via https://github.com/aws-controllers-k8s/community. /lifecycle stale