diff --git a/config/optional-policies/organization-creator-policy/organization-creator-role.yaml b/config/optional-policies/organization-creator-policy/organization-creator-role.yaml index 1053b4d8..5907441e 100644 --- a/config/optional-policies/organization-creator-policy/organization-creator-role.yaml +++ b/config/optional-policies/organization-creator-policy/organization-creator-role.yaml @@ -2,10 +2,14 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: organization-creator + labels: + taxonomy.miloapis.com/role-category: service namespace: milo-system annotations: kubernetes.io/display-name: Organization Creator kubernetes.io/description: Allows creating new organizations + taxonomy.miloapis.com/product: Organization & Projects + taxonomy.miloapis.com/sort-order: "10" spec: launchStage: Beta includedPermissions: diff --git a/config/roles/apiextensions-reader.yaml b/config/roles/apiextensions-reader.yaml index 569f89ee..6176292b 100644 --- a/config/roles/apiextensions-reader.yaml +++ b/config/roles/apiextensions-reader.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: apiextensions-reader + labels: + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: API Extensions Viewer kubernetes.io/description: View access to custom resource definitions + taxonomy.miloapis.com/product: "Platform Core" + taxonomy.miloapis.com/sort-order: "40" spec: launchStage: Beta includedPermissions: diff --git a/config/roles/core-admin.yaml b/config/roles/core-admin.yaml index f861e2f9..8ee44cb3 100644 --- a/config/roles/core-admin.yaml +++ b/config/roles/core-admin.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: core-admin + labels: + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Core Admin kubernetes.io/description: Full access to core platform resources including secrets, configmaps, and namespaces + taxonomy.miloapis.com/product: "Platform Core" + taxonomy.miloapis.com/sort-order: "10" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/core-editor.yaml b/config/roles/core-editor.yaml index cb7300ce..b47a0238 100644 --- a/config/roles/core-editor.yaml +++ b/config/roles/core-editor.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: core-editor + labels: + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Core Editor kubernetes.io/description: Edit access to core platform resources including secrets, configmaps, and namespaces + taxonomy.miloapis.com/product: "Platform Core" + taxonomy.miloapis.com/sort-order: "20" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/core-reader.yaml b/config/roles/core-reader.yaml index 5d6cbe6d..2d22e137 100644 --- a/config/roles/core-reader.yaml +++ b/config/roles/core-reader.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: core-reader + labels: + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Core Reader kubernetes.io/description: View access to core platform resources including secrets, configmaps, and namespaces + taxonomy.miloapis.com/product: "Platform Core" + taxonomy.miloapis.com/sort-order: "30" spec: launchStage: Beta includedPermissions: diff --git a/config/roles/iam-admin.yaml b/config/roles/iam-admin.yaml index fa1ddf2a..f40869fb 100644 --- a/config/roles/iam-admin.yaml +++ b/config/roles/iam-admin.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: iam-admin + labels: + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: IAM Admin kubernetes.io/description: "Full access to all IAM resources" + taxonomy.miloapis.com/product: "Identity & Access Management" + taxonomy.miloapis.com/sort-order: "10" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/iam-editor.yaml b/config/roles/iam-editor.yaml index f1c084cf..d269b253 100644 --- a/config/roles/iam-editor.yaml +++ b/config/roles/iam-editor.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: iam-editor + labels: + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: IAM Editor kubernetes.io/description: "Edit IAM resources" + taxonomy.miloapis.com/product: "Identity & Access Management" + taxonomy.miloapis.com/sort-order: "20" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/iam-organization-admin.yaml b/config/roles/iam-organization-admin.yaml index 06eea7dc..58b8a4bd 100644 --- a/config/roles/iam-organization-admin.yaml +++ b/config/roles/iam-organization-admin.yaml @@ -2,8 +2,12 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: iam-organization-admin + labels: + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: IAM Organization Admin + taxonomy.miloapis.com/product: "Identity & Access Management" + taxonomy.miloapis.com/sort-order: "10" kubernetes.io/description: "Full access to organization-scoped IAM resources" spec: launchStage: Beta diff --git a/config/roles/iam-organization-editor.yaml b/config/roles/iam-organization-editor.yaml index cc0fc838..cf9fb14b 100644 --- a/config/roles/iam-organization-editor.yaml +++ b/config/roles/iam-organization-editor.yaml @@ -2,8 +2,12 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: iam-organization-editor + labels: + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: IAM Organization Editor + taxonomy.miloapis.com/product: "Identity & Access Management" + taxonomy.miloapis.com/sort-order: "20" kubernetes.io/description: "Edit organization-scoped IAM resources" spec: launchStage: Beta diff --git a/config/roles/iam-organization-viewer.yaml b/config/roles/iam-organization-viewer.yaml index a2aed4e8..ae118589 100644 --- a/config/roles/iam-organization-viewer.yaml +++ b/config/roles/iam-organization-viewer.yaml @@ -2,8 +2,12 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: iam-organization-viewer + labels: + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: IAM Organization Viewer + taxonomy.miloapis.com/product: "Identity & Access Management" + taxonomy.miloapis.com/sort-order: "30" kubernetes.io/description: "View organization-scoped IAM resources" spec: launchStage: Beta diff --git a/config/roles/iam-platform-access-approvals-admin.yaml b/config/roles/iam-platform-access-approvals-admin.yaml index 9380e4e6..25b87090 100644 --- a/config/roles/iam-platform-access-approvals-admin.yaml +++ b/config/roles/iam-platform-access-approvals-admin.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: iam-platform-access-approvals-admin + labels: + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Platform Access Approval Admin kubernetes.io/description: Full access to platform access approvals + taxonomy.miloapis.com/product: Identity & Access Management + taxonomy.miloapis.com/sort-order: "10" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/iam-platform-access-approvals-editor.yaml b/config/roles/iam-platform-access-approvals-editor.yaml index b0cb27a4..2bcd1797 100644 --- a/config/roles/iam-platform-access-approvals-editor.yaml +++ b/config/roles/iam-platform-access-approvals-editor.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: iam-platform-access-approvals-editor + labels: + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Platform Access Approval Editor kubernetes.io/description: Create, update, and delete platform access approvals + taxonomy.miloapis.com/product: Identity & Access Management + taxonomy.miloapis.com/sort-order: "20" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/iam-platform-access-approvals-reader.yaml b/config/roles/iam-platform-access-approvals-reader.yaml index 91f661be..a6622b91 100644 --- a/config/roles/iam-platform-access-approvals-reader.yaml +++ b/config/roles/iam-platform-access-approvals-reader.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: iam-platform-access-approvals-reader + labels: + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Platform Access Approval Viewer kubernetes.io/description: View platform access approvals + taxonomy.miloapis.com/product: Identity & Access Management + taxonomy.miloapis.com/sort-order: "30" spec: launchStage: Beta includedPermissions: diff --git a/config/roles/iam-platform-access-rejections-admin.yaml b/config/roles/iam-platform-access-rejections-admin.yaml index 662d5c6b..2d22d73c 100644 --- a/config/roles/iam-platform-access-rejections-admin.yaml +++ b/config/roles/iam-platform-access-rejections-admin.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: iam-platform-access-rejections-admin + labels: + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Platform Access Rejection Admin kubernetes.io/description: Full access to platform access rejections + taxonomy.miloapis.com/product: Identity & Access Management + taxonomy.miloapis.com/sort-order: "10" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/iam-platform-access-rejections-editor.yaml b/config/roles/iam-platform-access-rejections-editor.yaml index 1516a865..b96ac3aa 100644 --- a/config/roles/iam-platform-access-rejections-editor.yaml +++ b/config/roles/iam-platform-access-rejections-editor.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: iam-platform-access-rejections-editor + labels: + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Platform Access Rejection Editor kubernetes.io/description: Create, update, and delete platform access rejections + taxonomy.miloapis.com/product: Identity & Access Management + taxonomy.miloapis.com/sort-order: "20" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/iam-platform-access-rejections-reader.yaml b/config/roles/iam-platform-access-rejections-reader.yaml index 3369d7fc..849447ec 100644 --- a/config/roles/iam-platform-access-rejections-reader.yaml +++ b/config/roles/iam-platform-access-rejections-reader.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: iam-platform-access-rejections-reader + labels: + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Platform Access Rejection Viewer kubernetes.io/description: View platform access rejections + taxonomy.miloapis.com/product: Identity & Access Management + taxonomy.miloapis.com/sort-order: "30" spec: launchStage: Beta includedPermissions: diff --git a/config/roles/iam-platform-invitations-admin.yaml b/config/roles/iam-platform-invitations-admin.yaml index 56d932c1..2593cc4b 100644 --- a/config/roles/iam-platform-invitations-admin.yaml +++ b/config/roles/iam-platform-invitations-admin.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: iam-platform-invitations-admin + labels: + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Platform Invitation Admin kubernetes.io/description: Full access to platform invitations + taxonomy.miloapis.com/product: Identity & Access Management + taxonomy.miloapis.com/sort-order: "10" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/iam-platform-invitations-editor.yaml b/config/roles/iam-platform-invitations-editor.yaml index a27d4220..3a6fc5f4 100644 --- a/config/roles/iam-platform-invitations-editor.yaml +++ b/config/roles/iam-platform-invitations-editor.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: iam-platform-invitations-editor + labels: + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Platform Invitation Editor kubernetes.io/description: Create, update, and delete platform invitations + taxonomy.miloapis.com/product: Identity & Access Management + taxonomy.miloapis.com/sort-order: "20" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/iam-platform-invitations-reader.yaml b/config/roles/iam-platform-invitations-reader.yaml index 53ba19c6..b273daac 100644 --- a/config/roles/iam-platform-invitations-reader.yaml +++ b/config/roles/iam-platform-invitations-reader.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: iam-platform-invitations-reader + labels: + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Platform Invitation Viewer kubernetes.io/description: View platform invitations + taxonomy.miloapis.com/product: Identity & Access Management + taxonomy.miloapis.com/sort-order: "30" spec: launchStage: Beta includedPermissions: diff --git a/config/roles/iam-role-admin.yaml b/config/roles/iam-role-admin.yaml index e5e53e7b..2f35c517 100644 --- a/config/roles/iam-role-admin.yaml +++ b/config/roles/iam-role-admin.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: role-admin + labels: + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Role Admin kubernetes.io/description: Full access to IAM roles + taxonomy.miloapis.com/product: Identity & Access Management + taxonomy.miloapis.com/sort-order: "10" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/iam-role-editor.yaml b/config/roles/iam-role-editor.yaml index a1f8043c..523e2110 100644 --- a/config/roles/iam-role-editor.yaml +++ b/config/roles/iam-role-editor.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: role-editor + labels: + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Role Editor kubernetes.io/description: Create, update, and delete IAM roles + taxonomy.miloapis.com/product: Identity & Access Management + taxonomy.miloapis.com/sort-order: "20" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/iam-role-reader.yaml b/config/roles/iam-role-reader.yaml index 64b3b8e8..2937e44f 100644 --- a/config/roles/iam-role-reader.yaml +++ b/config/roles/iam-role-reader.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: role-reader + labels: + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Role Viewer kubernetes.io/description: View IAM roles + taxonomy.miloapis.com/product: Identity & Access Management + taxonomy.miloapis.com/sort-order: "30" spec: launchStage: Beta includedPermissions: diff --git a/config/roles/iam-user-deactivations-admin.yaml b/config/roles/iam-user-deactivations-admin.yaml index eef509fd..3d4ed664 100644 --- a/config/roles/iam-user-deactivations-admin.yaml +++ b/config/roles/iam-user-deactivations-admin.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: iam-user-deactivations-admin + labels: + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: User Deactivation Admin kubernetes.io/description: Full access to user deactivations + taxonomy.miloapis.com/product: Identity & Access Management + taxonomy.miloapis.com/sort-order: "10" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/iam-user-deactivations-editor.yaml b/config/roles/iam-user-deactivations-editor.yaml index c4ffed8a..261d77d0 100644 --- a/config/roles/iam-user-deactivations-editor.yaml +++ b/config/roles/iam-user-deactivations-editor.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: iam-user-deactivations-editor + labels: + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: User Deactivation Editor kubernetes.io/description: Create, update, and delete user deactivations + taxonomy.miloapis.com/product: Identity & Access Management + taxonomy.miloapis.com/sort-order: "20" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/iam-user-deactivations-reader.yaml b/config/roles/iam-user-deactivations-reader.yaml index ce87b3d7..e4f67db5 100644 --- a/config/roles/iam-user-deactivations-reader.yaml +++ b/config/roles/iam-user-deactivations-reader.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: iam-user-deactivations-reader + labels: + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: User Deactivation Viewer kubernetes.io/description: View user deactivations + taxonomy.miloapis.com/product: Identity & Access Management + taxonomy.miloapis.com/sort-order: "30" spec: launchStage: Beta includedPermissions: diff --git a/config/roles/iam-user-invitations-admin.yaml b/config/roles/iam-user-invitations-admin.yaml index ee98c14d..3d59406f 100644 --- a/config/roles/iam-user-invitations-admin.yaml +++ b/config/roles/iam-user-invitations-admin.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: iam-user-invitations-admin + labels: + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: User Invitation Admin kubernetes.io/description: Full access to user invitations + taxonomy.miloapis.com/product: Identity & Access Management + taxonomy.miloapis.com/sort-order: "10" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/iam-user-invitations-editor.yaml b/config/roles/iam-user-invitations-editor.yaml index f3f5c6dc..6840cfe2 100644 --- a/config/roles/iam-user-invitations-editor.yaml +++ b/config/roles/iam-user-invitations-editor.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: iam-user-invitations-editor + labels: + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: User Invitation Editor kubernetes.io/description: Create, update, and delete user invitations + taxonomy.miloapis.com/product: Identity & Access Management + taxonomy.miloapis.com/sort-order: "20" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/iam-user-invitations-reader.yaml b/config/roles/iam-user-invitations-reader.yaml index 1231fa1f..a7c5b447 100644 --- a/config/roles/iam-user-invitations-reader.yaml +++ b/config/roles/iam-user-invitations-reader.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: iam-user-invitations-reader + labels: + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: User Invitation Viewer kubernetes.io/description: View user invitations + taxonomy.miloapis.com/product: Identity & Access Management + taxonomy.miloapis.com/sort-order: "30" spec: launchStage: Beta includedPermissions: diff --git a/config/roles/iam-user-preferences-manager.yaml b/config/roles/iam-user-preferences-manager.yaml index ab507776..dac9dce7 100644 --- a/config/roles/iam-user-preferences-manager.yaml +++ b/config/roles/iam-user-preferences-manager.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: iam-user-preferences-manager + labels: + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: User Preferences Manager kubernetes.io/description: "Allows users to manage their own user preferences only." + taxonomy.miloapis.com/product: Identity & Access Management + taxonomy.miloapis.com/sort-order: "40" spec: launchStage: Beta includedPermissions: diff --git a/config/roles/iam-user-self-manage.yaml b/config/roles/iam-user-self-manage.yaml index 685a0c3d..836a6ebe 100644 --- a/config/roles/iam-user-self-manage.yaml +++ b/config/roles/iam-user-self-manage.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: iam-user-self-manage + labels: + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: User Self Manage kubernetes.io/description: "Allows users to manage their own user account." + taxonomy.miloapis.com/product: Identity & Access Management + taxonomy.miloapis.com/sort-order: "40" spec: launchStage: Beta includedPermissions: diff --git a/config/roles/iam-viewer.yaml b/config/roles/iam-viewer.yaml index 99279153..333ab5bd 100644 --- a/config/roles/iam-viewer.yaml +++ b/config/roles/iam-viewer.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: iam-viewer + labels: + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: IAM Viewer kubernetes.io/description: "View IAM resources" + taxonomy.miloapis.com/product: "Identity & Access Management" + taxonomy.miloapis.com/sort-order: "30" spec: launchStage: Beta includedPermissions: diff --git a/config/roles/iam.miloapis.com-acceptinvitation.yaml b/config/roles/iam.miloapis.com-acceptinvitation.yaml index 744dc107..26328a4c 100644 --- a/config/roles/iam.miloapis.com-acceptinvitation.yaml +++ b/config/roles/iam.miloapis.com-acceptinvitation.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: iam.miloapis.com-acceptinvitation + labels: + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Accept Invitation kubernetes.io/description: Accept user invitations to join organizations + taxonomy.miloapis.com/product: Identity & Access Management + taxonomy.miloapis.com/sort-order: "40" spec: launchStage: Beta includedPermissions: diff --git a/config/roles/iam.miloapis.com-getinvitation.yaml b/config/roles/iam.miloapis.com-getinvitation.yaml index e219ea5c..d9242feb 100644 --- a/config/roles/iam.miloapis.com-getinvitation.yaml +++ b/config/roles/iam.miloapis.com-getinvitation.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: iam.miloapis.com-getinvitation + labels: + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Get Invitation kubernetes.io/description: View user invitations + taxonomy.miloapis.com/product: Identity & Access Management + taxonomy.miloapis.com/sort-order: "40" spec: launchStage: Beta includedPermissions: diff --git a/config/roles/identity-user-session-viewer.yaml b/config/roles/identity-user-session-viewer.yaml index 9d71299e..223e96df 100644 --- a/config/roles/identity-user-session-viewer.yaml +++ b/config/roles/identity-user-session-viewer.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: identity-user-session-viewer + labels: + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Identity User-Session Viewer kubernetes.io/description: "Allows viewing user sessions and user identities." + taxonomy.miloapis.com/product: "Identity & Access Management" + taxonomy.miloapis.com/sort-order: "30" spec: launchStage: Beta includedPermissions: diff --git a/config/roles/notes-admin.yaml b/config/roles/notes-admin.yaml index 11ffc36b..630e3a30 100644 --- a/config/roles/notes-admin.yaml +++ b/config/roles/notes-admin.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: notes-admin + labels: + taxonomy.miloapis.com/role-category: feature annotations: kubernetes.io/display-name: Notes Admin kubernetes.io/description: "Full administrative access to notes and cluster notes." + taxonomy.miloapis.com/product: "Notes" + taxonomy.miloapis.com/sort-order: "10" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/notes-creator-editor.yaml b/config/roles/notes-creator-editor.yaml index 9d2fd3c9..84579b16 100644 --- a/config/roles/notes-creator-editor.yaml +++ b/config/roles/notes-creator-editor.yaml @@ -2,7 +2,11 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: notes-creator-editor + labels: + taxonomy.miloapis.com/role-category: feature annotations: + taxonomy.miloapis.com/product: "Notes" + taxonomy.miloapis.com/sort-order: "20" kubernetes.io/display-name: Notes Creator Editor kubernetes.io/description: "Allows the creator of a note to edit and delete their own note." spec: diff --git a/config/roles/notes-creator.yaml b/config/roles/notes-creator.yaml index 30a51b48..fac14842 100644 --- a/config/roles/notes-creator.yaml +++ b/config/roles/notes-creator.yaml @@ -2,7 +2,11 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: notes-creator + labels: + taxonomy.miloapis.com/role-category: feature annotations: + taxonomy.miloapis.com/product: "Notes" + taxonomy.miloapis.com/sort-order: "20" kubernetes.io/display-name: Notes Creator kubernetes.io/description: "Allows creating notes and cluster notes." spec: diff --git a/config/roles/notes-editor.yaml b/config/roles/notes-editor.yaml index b51eb86c..6b0d6dc5 100644 --- a/config/roles/notes-editor.yaml +++ b/config/roles/notes-editor.yaml @@ -2,7 +2,11 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: notes-editor + labels: + taxonomy.miloapis.com/role-category: feature annotations: + taxonomy.miloapis.com/product: "Notes" + taxonomy.miloapis.com/sort-order: "20" kubernetes.io/display-name: Notes Editor kubernetes.io/description: "Allows creating, editing, and deleting notes and cluster notes." spec: diff --git a/config/roles/notes-viewer.yaml b/config/roles/notes-viewer.yaml index 843d07f9..162dfeeb 100644 --- a/config/roles/notes-viewer.yaml +++ b/config/roles/notes-viewer.yaml @@ -2,7 +2,11 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: notes-viewer + labels: + taxonomy.miloapis.com/role-category: feature annotations: + taxonomy.miloapis.com/product: "Notes" + taxonomy.miloapis.com/sort-order: "30" kubernetes.io/display-name: Notes Viewer kubernetes.io/description: "Allows viewing notes and cluster notes." spec: diff --git a/config/roles/notification-contact-admin.yaml b/config/roles/notification-contact-admin.yaml index 1d025e05..d244d633 100644 --- a/config/roles/notification-contact-admin.yaml +++ b/config/roles/notification-contact-admin.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: notification-contact-admin + labels: + taxonomy.miloapis.com/role-category: feature annotations: kubernetes.io/display-name: Notification Contact Admin kubernetes.io/description: Full access to notification contacts + taxonomy.miloapis.com/product: Notifications + taxonomy.miloapis.com/sort-order: "10" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/notification-contact-editor.yaml b/config/roles/notification-contact-editor.yaml index 92f10785..a2bae190 100644 --- a/config/roles/notification-contact-editor.yaml +++ b/config/roles/notification-contact-editor.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: notification-contact-editor + labels: + taxonomy.miloapis.com/role-category: feature annotations: kubernetes.io/display-name: Notification Contact Editor kubernetes.io/description: Create, update, and delete notification contacts + taxonomy.miloapis.com/product: Notifications + taxonomy.miloapis.com/sort-order: "20" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/notification-contact-group-admin.yaml b/config/roles/notification-contact-group-admin.yaml index c40c9f6c..066d4f7f 100644 --- a/config/roles/notification-contact-group-admin.yaml +++ b/config/roles/notification-contact-group-admin.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: notification-contact-group-admin + labels: + taxonomy.miloapis.com/role-category: feature annotations: kubernetes.io/display-name: Notification Contact Group Admin kubernetes.io/description: Full access to notification contact groups + taxonomy.miloapis.com/product: Notifications + taxonomy.miloapis.com/sort-order: "10" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/notification-contact-group-editor.yaml b/config/roles/notification-contact-group-editor.yaml index fa1df54a..b7849fbf 100644 --- a/config/roles/notification-contact-group-editor.yaml +++ b/config/roles/notification-contact-group-editor.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: notification-contact-group-editor + labels: + taxonomy.miloapis.com/role-category: feature annotations: kubernetes.io/display-name: Notification Contact Group Editor kubernetes.io/description: Create, update, and delete notification contact groups + taxonomy.miloapis.com/product: Notifications + taxonomy.miloapis.com/sort-order: "20" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/notification-contact-group-membership-admin.yaml b/config/roles/notification-contact-group-membership-admin.yaml index c44ed11d..f3acf94a 100644 --- a/config/roles/notification-contact-group-membership-admin.yaml +++ b/config/roles/notification-contact-group-membership-admin.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: notification-contact-group-membership-admin + labels: + taxonomy.miloapis.com/role-category: feature annotations: kubernetes.io/display-name: Contact Group Membership Admin kubernetes.io/description: Full access to notification contact group memberships + taxonomy.miloapis.com/product: Notifications + taxonomy.miloapis.com/sort-order: "10" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/notification-contact-group-membership-editor.yaml b/config/roles/notification-contact-group-membership-editor.yaml index 3d157b51..23d085f6 100644 --- a/config/roles/notification-contact-group-membership-editor.yaml +++ b/config/roles/notification-contact-group-membership-editor.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: notification-contact-group-membership-editor + labels: + taxonomy.miloapis.com/role-category: feature annotations: kubernetes.io/display-name: Contact Group Membership Editor kubernetes.io/description: Create, update, and delete notification contact group memberships + taxonomy.miloapis.com/product: Notifications + taxonomy.miloapis.com/sort-order: "20" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/notification-contact-group-membership-reader.yaml b/config/roles/notification-contact-group-membership-reader.yaml index 9bbe461f..62a9ed89 100644 --- a/config/roles/notification-contact-group-membership-reader.yaml +++ b/config/roles/notification-contact-group-membership-reader.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: notification-contact-group-membership-reader + labels: + taxonomy.miloapis.com/role-category: feature annotations: kubernetes.io/display-name: Contact Group Membership Viewer kubernetes.io/description: View notification contact group memberships + taxonomy.miloapis.com/product: Notifications + taxonomy.miloapis.com/sort-order: "30" spec: launchStage: Beta includedPermissions: diff --git a/config/roles/notification-contact-group-membership-removal-admin.yaml b/config/roles/notification-contact-group-membership-removal-admin.yaml index 6675478f..2094d2a4 100644 --- a/config/roles/notification-contact-group-membership-removal-admin.yaml +++ b/config/roles/notification-contact-group-membership-removal-admin.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: notification-contact-group-membership-removal-admin + labels: + taxonomy.miloapis.com/role-category: feature annotations: kubernetes.io/display-name: Contact Group Membership Removal Admin kubernetes.io/description: Full access to notification contact group membership removals + taxonomy.miloapis.com/product: Notifications + taxonomy.miloapis.com/sort-order: "10" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/notification-contact-group-membership-removal-editor.yaml b/config/roles/notification-contact-group-membership-removal-editor.yaml index 456a51b7..9d9b706f 100644 --- a/config/roles/notification-contact-group-membership-removal-editor.yaml +++ b/config/roles/notification-contact-group-membership-removal-editor.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: notification-contact-group-membership-removal-editor + labels: + taxonomy.miloapis.com/role-category: feature annotations: kubernetes.io/display-name: Contact Group Membership Removal Editor kubernetes.io/description: Create, update, and delete notification contact group membership removals + taxonomy.miloapis.com/product: Notifications + taxonomy.miloapis.com/sort-order: "20" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/notification-contact-group-membership-removal-reader.yaml b/config/roles/notification-contact-group-membership-removal-reader.yaml index 6b5202d7..a6c88186 100644 --- a/config/roles/notification-contact-group-membership-removal-reader.yaml +++ b/config/roles/notification-contact-group-membership-removal-reader.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: notification-contact-group-membership-removal-reader + labels: + taxonomy.miloapis.com/role-category: feature annotations: kubernetes.io/display-name: Contact Group Membership Removal Viewer kubernetes.io/description: View notification contact group membership removals + taxonomy.miloapis.com/product: Notifications + taxonomy.miloapis.com/sort-order: "30" spec: launchStage: Beta includedPermissions: diff --git a/config/roles/notification-contact-group-reader.yaml b/config/roles/notification-contact-group-reader.yaml index 9a98cdd3..6862a05f 100644 --- a/config/roles/notification-contact-group-reader.yaml +++ b/config/roles/notification-contact-group-reader.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: notification-contact-group-reader + labels: + taxonomy.miloapis.com/role-category: feature annotations: kubernetes.io/display-name: Notification Contact Group Viewer kubernetes.io/description: View notification contact groups + taxonomy.miloapis.com/product: Notifications + taxonomy.miloapis.com/sort-order: "30" spec: launchStage: Beta includedPermissions: diff --git a/config/roles/notification-contact-reader.yaml b/config/roles/notification-contact-reader.yaml index fab18525..22d53669 100644 --- a/config/roles/notification-contact-reader.yaml +++ b/config/roles/notification-contact-reader.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: notification-contact-reader + labels: + taxonomy.miloapis.com/role-category: feature annotations: kubernetes.io/display-name: Notification Contact Viewer kubernetes.io/description: View notification contacts + taxonomy.miloapis.com/product: Notifications + taxonomy.miloapis.com/sort-order: "30" spec: launchStage: Beta includedPermissions: diff --git a/config/roles/notification-email-admin.yaml b/config/roles/notification-email-admin.yaml index c88a0875..28817ca1 100644 --- a/config/roles/notification-email-admin.yaml +++ b/config/roles/notification-email-admin.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: notification-email-admin + labels: + taxonomy.miloapis.com/role-category: feature annotations: kubernetes.io/display-name: Notification Email Admin kubernetes.io/description: Full access to notification emails + taxonomy.miloapis.com/product: Notifications + taxonomy.miloapis.com/sort-order: "10" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/notification-email-broadcast-admin.yaml b/config/roles/notification-email-broadcast-admin.yaml index 6b45b539..30251012 100644 --- a/config/roles/notification-email-broadcast-admin.yaml +++ b/config/roles/notification-email-broadcast-admin.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: notification-email-broadcast-admin + labels: + taxonomy.miloapis.com/role-category: feature annotations: kubernetes.io/display-name: Email Broadcast Admin kubernetes.io/description: Full access to email broadcasts + taxonomy.miloapis.com/product: Notifications + taxonomy.miloapis.com/sort-order: "10" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/notification-email-broadcast-creator.yaml b/config/roles/notification-email-broadcast-creator.yaml index a0e1f25d..e29fc502 100644 --- a/config/roles/notification-email-broadcast-creator.yaml +++ b/config/roles/notification-email-broadcast-creator.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: notification-email-broadcast-creator + labels: + taxonomy.miloapis.com/role-category: feature annotations: kubernetes.io/display-name: Email Broadcast Creator kubernetes.io/description: Create and delete email broadcasts + taxonomy.miloapis.com/product: Notifications + taxonomy.miloapis.com/sort-order: "20" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/notification-email-broadcast-reader.yaml b/config/roles/notification-email-broadcast-reader.yaml index 3e744402..f4970086 100644 --- a/config/roles/notification-email-broadcast-reader.yaml +++ b/config/roles/notification-email-broadcast-reader.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: notification-email-broadcast-reader + labels: + taxonomy.miloapis.com/role-category: feature annotations: kubernetes.io/display-name: Email Broadcast Viewer kubernetes.io/description: View email broadcasts + taxonomy.miloapis.com/product: Notifications + taxonomy.miloapis.com/sort-order: "30" spec: launchStage: Beta includedPermissions: diff --git a/config/roles/notification-email-creator.yaml b/config/roles/notification-email-creator.yaml index cf25bf57..ccc39cbf 100644 --- a/config/roles/notification-email-creator.yaml +++ b/config/roles/notification-email-creator.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: notification-email-creator + labels: + taxonomy.miloapis.com/role-category: feature annotations: kubernetes.io/display-name: Notification Email Creator kubernetes.io/description: Create notification emails + taxonomy.miloapis.com/product: Notifications + taxonomy.miloapis.com/sort-order: "20" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/notification-email-reader.yaml b/config/roles/notification-email-reader.yaml index f9ecd4ed..44f750e1 100644 --- a/config/roles/notification-email-reader.yaml +++ b/config/roles/notification-email-reader.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: notification-email-reader + labels: + taxonomy.miloapis.com/role-category: feature annotations: kubernetes.io/display-name: Notification Email Viewer kubernetes.io/description: View notification emails + taxonomy.miloapis.com/product: Notifications + taxonomy.miloapis.com/sort-order: "30" spec: launchStage: Beta includedPermissions: diff --git a/config/roles/organization-admin.yaml b/config/roles/organization-admin.yaml index e9bf5877..f2695ddb 100644 --- a/config/roles/organization-admin.yaml +++ b/config/roles/organization-admin.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: resourcemanager.miloapis.com-organization-admin + labels: + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Organization Admin kubernetes.io/description: "Full access to all organization and organization membership resources" + taxonomy.miloapis.com/product: "Organization & Projects" + taxonomy.miloapis.com/sort-order: "10" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/organization-viewer.yaml b/config/roles/organization-viewer.yaml index 3200431f..98fffa8a 100644 --- a/config/roles/organization-viewer.yaml +++ b/config/roles/organization-viewer.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: resourcemanager.miloapis.com-organization-viewer + labels: + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Organization Viewer kubernetes.io/description: "View access to all organization and organization membership resources" + taxonomy.miloapis.com/product: "Organization & Projects" + taxonomy.miloapis.com/sort-order: "30" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/organizationmembership-admin.yaml b/config/roles/organizationmembership-admin.yaml index 4342413d..499afc66 100644 --- a/config/roles/organizationmembership-admin.yaml +++ b/config/roles/organizationmembership-admin.yaml @@ -2,10 +2,14 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: organizationmembership-admin + labels: + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Organization Membership Admin kubernetes.io/description: "Full access to all organization membership resources" + taxonomy.miloapis.com/product: "Organization & Projects" + taxonomy.miloapis.com/sort-order: "10" spec: launchStage: Beta inheritedRoles: - - name: organizationmembership-editor \ No newline at end of file + - name: organizationmembership-editor diff --git a/config/roles/organizationmembership-editor.yaml b/config/roles/organizationmembership-editor.yaml index ab114449..c39588cd 100644 --- a/config/roles/organizationmembership-editor.yaml +++ b/config/roles/organizationmembership-editor.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: organizationmembership-editor + labels: + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Organization Membership Editor kubernetes.io/description: "Edit organization membership resources" + taxonomy.miloapis.com/product: "Organization & Projects" + taxonomy.miloapis.com/sort-order: "20" spec: launchStage: Beta inheritedRoles: @@ -13,4 +17,4 @@ spec: - resourcemanager.miloapis.com/organizationmemberships.create - resourcemanager.miloapis.com/organizationmemberships.update - resourcemanager.miloapis.com/organizationmemberships.patch - - resourcemanager.miloapis.com/organizationmemberships.delete \ No newline at end of file + - resourcemanager.miloapis.com/organizationmemberships.delete diff --git a/config/roles/organizationmembership-reader.yaml b/config/roles/organizationmembership-reader.yaml index e6e061ab..17c770d7 100644 --- a/config/roles/organizationmembership-reader.yaml +++ b/config/roles/organizationmembership-reader.yaml @@ -2,12 +2,16 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: organizationmembership-reader + labels: + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Organization Membership Reader kubernetes.io/description: "View organization membership resources" + taxonomy.miloapis.com/product: "Organization & Projects" + taxonomy.miloapis.com/sort-order: "30" spec: launchStage: Beta includedPermissions: - resourcemanager.miloapis.com/organizationmemberships.get - resourcemanager.miloapis.com/organizationmemberships.list - - resourcemanager.miloapis.com/organizationmemberships.watch \ No newline at end of file + - resourcemanager.miloapis.com/organizationmemberships.watch diff --git a/config/roles/organizationmembership-self-delete.yaml b/config/roles/organizationmembership-self-delete.yaml index c918769c..574df9cd 100644 --- a/config/roles/organizationmembership-self-delete.yaml +++ b/config/roles/organizationmembership-self-delete.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: organizationmembership-self-delete + labels: + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Organization Membership Self Delete kubernetes.io/description: "Allows a user to delete their own organization membership" + taxonomy.miloapis.com/product: "Organization & Projects" + taxonomy.miloapis.com/sort-order: "40" spec: launchStage: Beta includedPermissions: diff --git a/config/roles/owner.yaml b/config/roles/owner.yaml index bea1225d..23cfa087 100644 --- a/config/roles/owner.yaml +++ b/config/roles/owner.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: owner + labels: + taxonomy.miloapis.com/role-category: platform annotations: kubernetes.io/display-name: Owner kubernetes.io/description: Full access to all platform resources including resource management, IAM, and core platform + taxonomy.miloapis.com/product: Access Everything + taxonomy.miloapis.com/sort-order: "10" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/project-admin.yaml b/config/roles/project-admin.yaml index 15b398ec..56571094 100644 --- a/config/roles/project-admin.yaml +++ b/config/roles/project-admin.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: resourcemanager.miloapis.com-project-admin + labels: + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Project Admin kubernetes.io/description: "Full access to all project resources" + taxonomy.miloapis.com/product: "Organization & Projects" + taxonomy.miloapis.com/sort-order: "10" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/project-manager.yaml b/config/roles/project-manager.yaml index 2bd34e8f..6964180d 100644 --- a/config/roles/project-manager.yaml +++ b/config/roles/project-manager.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: project-manager + labels: + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Project Manager kubernetes.io/description: Full access to projects including create, update, and delete + taxonomy.miloapis.com/product: Organization & Projects + taxonomy.miloapis.com/sort-order: "20" spec: launchStage: Beta includedPermissions: diff --git a/config/roles/project-viewer.yaml b/config/roles/project-viewer.yaml index c3caf709..4ca5edac 100644 --- a/config/roles/project-viewer.yaml +++ b/config/roles/project-viewer.yaml @@ -2,12 +2,16 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: resourcemanager.miloapis.com-project-viewer + labels: + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Project Viewer kubernetes.io/description: "View access to all project resources" + taxonomy.miloapis.com/product: "Organization & Projects" + taxonomy.miloapis.com/sort-order: "30" spec: launchStage: Beta includedPermissions: - resourcemanager.miloapis.com/projects.get - resourcemanager.miloapis.com/projects.list - - resourcemanager.miloapis.com/projects.watch \ No newline at end of file + - resourcemanager.miloapis.com/projects.watch diff --git a/config/roles/resourcemanager-admin.yaml b/config/roles/resourcemanager-admin.yaml index 687f871c..276fe35a 100644 --- a/config/roles/resourcemanager-admin.yaml +++ b/config/roles/resourcemanager-admin.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: resourcemanager-admin + labels: + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Resource Manager Admin kubernetes.io/description: Full access to manage organizations and projects + taxonomy.miloapis.com/product: Organization & Projects + taxonomy.miloapis.com/sort-order: "10" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/resourcemanager-editor.yaml b/config/roles/resourcemanager-editor.yaml index dd31fd88..3ea6535f 100644 --- a/config/roles/resourcemanager-editor.yaml +++ b/config/roles/resourcemanager-editor.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: resourcemanager-editor + labels: + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Resource Manager Editor kubernetes.io/description: Edit access to organizations and projects + taxonomy.miloapis.com/product: Organization & Projects + taxonomy.miloapis.com/sort-order: "20" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/resourcemanager-reader.yaml b/config/roles/resourcemanager-reader.yaml index 7389f3a7..372aaa25 100644 --- a/config/roles/resourcemanager-reader.yaml +++ b/config/roles/resourcemanager-reader.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: resourcemanager-reader + labels: + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Resource Manager Viewer kubernetes.io/description: View access to organizations and projects + taxonomy.miloapis.com/product: Organization & Projects + taxonomy.miloapis.com/sort-order: "30" spec: launchStage: Beta includedPermissions: diff --git a/config/services/quota/iam/roles/organization-quota-manager.yaml b/config/services/quota/iam/roles/organization-quota-manager.yaml index f9aef2bc..f0b790a8 100644 --- a/config/services/quota/iam/roles/organization-quota-manager.yaml +++ b/config/services/quota/iam/roles/organization-quota-manager.yaml @@ -1,15 +1,18 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: - name: quota.miloapis.com-organization-quota-manager namespace: milo-system + name: quota.miloapis.com-organization-quota-manager annotations: kubernetes.io/display-name: Organization Quota Manager kubernetes.io/description: View quota usage, grants, and claims across the organization + taxonomy.miloapis.com/product: "Quota" + taxonomy.miloapis.com/sort-order: "20" labels: quota.miloapis.com/role-type: organization-manager quota.miloapis.com/service: quota quota.miloapis.com/scope: organization + taxonomy.miloapis.com/role-category: service spec: launchStage: Beta includedPermissions: diff --git a/config/services/quota/iam/roles/quota-admin.yaml b/config/services/quota/iam/roles/quota-admin.yaml index c0b8bc37..a18ca3cb 100644 --- a/config/services/quota/iam/roles/quota-admin.yaml +++ b/config/services/quota/iam/roles/quota-admin.yaml @@ -1,14 +1,17 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: - name: quota.miloapis.com-admin namespace: milo-system + name: quota.miloapis.com-admin annotations: kubernetes.io/display-name: Quota Admin kubernetes.io/description: Full access to quota resources including resource registrations, grants, claims, allowance buckets, and creation policies + taxonomy.miloapis.com/product: Quota + taxonomy.miloapis.com/sort-order: "10" labels: quota.miloapis.com/role-type: admin quota.miloapis.com/service: quota + taxonomy.miloapis.com/role-category: service spec: launchStage: Beta includedPermissions: diff --git a/config/services/quota/iam/roles/quota-manager.yaml b/config/services/quota/iam/roles/quota-manager.yaml index 5a076601..cd96792d 100644 --- a/config/services/quota/iam/roles/quota-manager.yaml +++ b/config/services/quota/iam/roles/quota-manager.yaml @@ -1,14 +1,17 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: - name: quota.miloapis.com-manager namespace: milo-system + name: quota.miloapis.com-manager annotations: kubernetes.io/display-name: Quota Manager kubernetes.io/description: Manage quota grants and claims, with read access to resource registrations and creation policies + taxonomy.miloapis.com/product: Quota + taxonomy.miloapis.com/sort-order: "20" labels: quota.miloapis.com/role-type: manager quota.miloapis.com/service: quota + taxonomy.miloapis.com/role-category: service spec: launchStage: Beta includedPermissions: diff --git a/config/services/quota/iam/roles/quota-operator.yaml b/config/services/quota/iam/roles/quota-operator.yaml index 7fbcaea6..ecf52789 100644 --- a/config/services/quota/iam/roles/quota-operator.yaml +++ b/config/services/quota/iam/roles/quota-operator.yaml @@ -1,14 +1,17 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: - name: quota.miloapis.com-operator namespace: milo-system + name: quota.miloapis.com-operator annotations: kubernetes.io/display-name: Quota Operator kubernetes.io/description: Operational access to quota resources for system reconciliation, including full management of allowance buckets + taxonomy.miloapis.com/product: Quota + taxonomy.miloapis.com/sort-order: "30" labels: quota.miloapis.com/role-type: operator quota.miloapis.com/service: quota + taxonomy.miloapis.com/role-category: service spec: launchStage: Beta includedPermissions: diff --git a/config/services/quota/iam/roles/quota-viewer.yaml b/config/services/quota/iam/roles/quota-viewer.yaml index 0cf26a5c..89339a3d 100644 --- a/config/services/quota/iam/roles/quota-viewer.yaml +++ b/config/services/quota/iam/roles/quota-viewer.yaml @@ -1,14 +1,17 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: - name: quota.miloapis.com-viewer namespace: milo-system + name: quota.miloapis.com-viewer annotations: kubernetes.io/display-name: Quota Viewer kubernetes.io/description: View access to quota resources including resource registrations, grants, and claims + taxonomy.miloapis.com/product: "Quota" + taxonomy.miloapis.com/sort-order: "40" labels: quota.miloapis.com/role-type: viewer quota.miloapis.com/service: quota + taxonomy.miloapis.com/role-category: service spec: launchStage: Beta includedPermissions: diff --git a/docs/architecture/identity-and-access-management/role-taxonomy.md b/docs/architecture/identity-and-access-management/role-taxonomy.md new file mode 100644 index 00000000..c8db82e3 --- /dev/null +++ b/docs/architecture/identity-and-access-management/role-taxonomy.md @@ -0,0 +1,74 @@ +# IAM Role Taxonomy + +IAM roles are classified with annotations and labels under the `taxonomy.miloapis.com` prefix to support UI grouping, filtering, and display ordering. + +## Labels + +Labels are used for **filtering and selection** (e.g., `filterByLabel` in the cloud portal). + +### `taxonomy.miloapis.com/role-category` + +Classifies what kind of concern the role governs. + +| Value | Description | Examples | +|---|---|---| +| `platform` | Cross-cutting platform concerns present in every deployment — IAM, resource management, org/project hierarchy, quota, and core primitives. | `iam-admin`, `resourcemanager-admin`, `quota-admin`, `owner` | +| `service` | Infrastructure or data-plane services that teams deploy and operate independently. | `dns-admin`, `network-admin`, `activity-admin`, `search-admin` | +| `feature` | Product capabilities that end-users interact with directly. | `crm-note-admin`, `notification-contact-admin` | + +**Every role file must include this label:** + +```yaml +metadata: + labels: + taxonomy.miloapis.com/role-category: service # platform | service | feature +``` + +## Annotations + +Annotations are used for **display metadata** (grouping headers, sort order, human-readable names). + +### `taxonomy.miloapis.com/product` + +The product group name shown as a header in the UI role picker. + +```yaml +annotations: + taxonomy.miloapis.com/product: "DNS" +``` + +### `taxonomy.miloapis.com/sort-order` + +Controls the ordering of roles within a product group. Use multiples of 10. + +| Sort order | Conventional meaning | +|---|---| +| `"10"` | Admin / full access | +| `"20"` | Editor / manager / operator | +| `"30"` | Viewer / reader | +| `"40"` | Scoped self-service roles | + +```yaml +annotations: + taxonomy.miloapis.com/sort-order: "10" +``` + +## Full example + +```yaml +apiVersion: iam.miloapis.com/v1alpha1 +kind: Role +metadata: + name: dns-admin + labels: + taxonomy.miloapis.com/role-category: service + annotations: + kubernetes.io/display-name: DNS Admin + kubernetes.io/description: Full administrative access to DNS zones and records. + taxonomy.miloapis.com/product: DNS + taxonomy.miloapis.com/sort-order: "10" +spec: + launchStage: Beta + inheritedRoles: + - name: dns-editor +``` diff --git a/internal/apiserver/identity/sessions/dynamic.go b/internal/apiserver/identity/sessions/dynamic.go index 93498725..40bbbd2f 100644 --- a/internal/apiserver/identity/sessions/dynamic.go +++ b/internal/apiserver/identity/sessions/dynamic.go @@ -48,6 +48,7 @@ type Config struct { type DynamicProvider struct { base *rest.Config + baseRT http.RoundTripper // shared transport — reuses TCP connections across requests gvr schema.GroupVersionResource to time.Duration retries int @@ -83,10 +84,18 @@ func NewDynamicProvider(cfg Config) (*DynamicProvider, error) { base.Timeout = cfg.Timeout } + // Build the base transport once so the underlying TCP connections and TLS + // sessions are reused across all per-user requests. + baseRT, err := rest.TransportFor(base) + if err != nil { + return nil, fmt.Errorf("building sessions provider transport: %w", err) + } + gvr := identityv1alpha1.SchemeGroupVersion.WithResource("sessions") return &DynamicProvider{ base: base, + baseRT: baseRT, gvr: gvr, to: cfg.Timeout, retries: max(0, cfg.Retries), @@ -95,6 +104,7 @@ func NewDynamicProvider(cfg Config) (*DynamicProvider, error) { } // dynForUser creates a per-call client-go dynamic.Interface that forwards identity via X-Remote-*. +// The underlying HTTP transport is shared across calls so TCP connections are reused. func (b *DynamicProvider) dynForUser(ctx context.Context) (dynamic.Interface, error) { u, ok := apirequest.UserFrom(ctx) if !ok || u == nil { @@ -104,17 +114,15 @@ func (b *DynamicProvider) dynForUser(ctx context.Context) (dynamic.Interface, er if b.to > 0 { cfg.Timeout = b.to } - prev := cfg.WrapTransport - cfg.WrapTransport = func(rt http.RoundTripper) http.RoundTripper { - if prev != nil { - rt = prev(rt) - } + // Wrap the shared base transport with per-user X-Remote-* headers only. + // This avoids building a new TLS transport on every request. + cfg.WrapTransport = func(_ http.RoundTripper) http.RoundTripper { return transport.NewAuthProxyRoundTripper( u.GetName(), u.GetUID(), u.GetGroups(), b.filterExtras(u.GetExtra()), - rt, + b.baseRT, ) } return dynamic.NewForConfig(cfg) diff --git a/internal/apiserver/identity/useridentities/dynamic.go b/internal/apiserver/identity/useridentities/dynamic.go index 36ec6d65..3ed128bf 100644 --- a/internal/apiserver/identity/useridentities/dynamic.go +++ b/internal/apiserver/identity/useridentities/dynamic.go @@ -48,6 +48,7 @@ type Config struct { type DynamicProvider struct { base *rest.Config + baseRT http.RoundTripper // shared transport — reuses TCP connections across requests gvr schema.GroupVersionResource to time.Duration retries int @@ -83,10 +84,18 @@ func NewDynamicProvider(cfg Config) (*DynamicProvider, error) { base.Timeout = cfg.Timeout } + // Build the base transport once so the underlying TCP connections and TLS + // sessions are reused across all per-user requests. + baseRT, err := rest.TransportFor(base) + if err != nil { + return nil, fmt.Errorf("building useridentities provider transport: %w", err) + } + gvr := identityv1alpha1.SchemeGroupVersion.WithResource("useridentities") return &DynamicProvider{ base: base, + baseRT: baseRT, gvr: gvr, to: cfg.Timeout, retries: max(0, cfg.Retries), @@ -95,6 +104,7 @@ func NewDynamicProvider(cfg Config) (*DynamicProvider, error) { } // dynForUser creates a per-call client-go dynamic.Interface that forwards identity via X-Remote-*. +// The underlying HTTP transport is shared across calls so TCP connections are reused. func (b *DynamicProvider) dynForUser(ctx context.Context) (dynamic.Interface, error) { u, ok := apirequest.UserFrom(ctx) if !ok || u == nil { @@ -104,17 +114,15 @@ func (b *DynamicProvider) dynForUser(ctx context.Context) (dynamic.Interface, er if b.to > 0 { cfg.Timeout = b.to } - prev := cfg.WrapTransport - cfg.WrapTransport = func(rt http.RoundTripper) http.RoundTripper { - if prev != nil { - rt = prev(rt) - } + // Wrap the shared base transport with per-user X-Remote-* headers only. + // This avoids building a new TLS transport on every request. + cfg.WrapTransport = func(_ http.RoundTripper) http.RoundTripper { return transport.NewAuthProxyRoundTripper( u.GetName(), u.GetUID(), u.GetGroups(), b.filterExtras(u.GetExtra()), - rt, + b.baseRT, ) } return dynamic.NewForConfig(cfg)