karlkfi
commented
1 month ago You can use the depends-on annotation for this today (https://kpt.dev/reference/annotations/depends-on/). Add the annotation to the binding to depend on the role.
But, yes, it would be nice if it detected this ordering automatically.
Kubernetes imposes a constraint that a role must exist before the binding uses it, when the applier is not a cluster admin. See https://github.com/kubernetes/kubernetes/issues/110989#issuecomment-1281076750. The
graphpackage should create an edge between the role and the binding to facilitate this.