Tracking only Firewall Zone API done

2025-04-14 10:38:29 +02:00
parent 4af8b3f78c
commit c681a0c987
29 changed files with 3106 additions and 209 deletions
--- a/config/rbac/firewallrule_admin_role.yaml
+++ b/config/rbac/firewallrule_admin_role.yaml
@@ -0,0 +1,27 @@
+# This rule is not used by the project unifi-network-operator itself.
+# It is provided to allow the cluster admin to help manage permissions for users.
+#
+# Grants full permissions ('*') over unifi.engen.priv.no.
+# This role is intended for users authorized to modify roles and bindings within the cluster,
+# enabling them to delegate specific permissions to other users or groups as needed.
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: unifi-network-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: firewallrule-admin-role
+rules:
+- apiGroups:
+  - unifi.engen.priv.no
+  resources:
+  - firewallrules
+  verbs:
+  - '*'
+- apiGroups:
+  - unifi.engen.priv.no
+  resources:
+  - firewallrules/status
+  verbs:
+  - get
--- a/config/rbac/firewallrule_editor_role.yaml
+++ b/config/rbac/firewallrule_editor_role.yaml
@@ -0,0 +1,33 @@
+# This rule is not used by the project unifi-network-operator itself.
+# It is provided to allow the cluster admin to help manage permissions for users.
+#
+# Grants permissions to create, update, and delete resources within the unifi.engen.priv.no.
+# This role is intended for users who need to manage these resources
+# but should not control RBAC or manage permissions for others.
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: unifi-network-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: firewallrule-editor-role
+rules:
+- apiGroups:
+  - unifi.engen.priv.no
+  resources:
+  - firewallrules
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - unifi.engen.priv.no
+  resources:
+  - firewallrules/status
+  verbs:
+  - get
--- a/config/rbac/firewallrule_viewer_role.yaml
+++ b/config/rbac/firewallrule_viewer_role.yaml
@@ -0,0 +1,29 @@
+# This rule is not used by the project unifi-network-operator itself.
+# It is provided to allow the cluster admin to help manage permissions for users.
+#
+# Grants read-only access to unifi.engen.priv.no resources.
+# This role is intended for users who need visibility into these resources
+# without permissions to modify them. It is ideal for monitoring purposes and limited-access viewing.
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: unifi-network-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: firewallrule-viewer-role
+rules:
+- apiGroups:
+  - unifi.engen.priv.no
+  resources:
+  - firewallrules
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - unifi.engen.priv.no
+  resources:
+  - firewallrules/status
+  verbs:
+  - get
--- a/config/rbac/firewallzone_admin_role.yaml
+++ b/config/rbac/firewallzone_admin_role.yaml
@@ -0,0 +1,27 @@
+# This rule is not used by the project unifi-network-operator itself.
+# It is provided to allow the cluster admin to help manage permissions for users.
+#
+# Grants full permissions ('*') over unifi.engen.priv.no.
+# This role is intended for users authorized to modify roles and bindings within the cluster,
+# enabling them to delegate specific permissions to other users or groups as needed.
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: unifi-network-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: firewallzone-admin-role
+rules:
+- apiGroups:
+  - unifi.engen.priv.no
+  resources:
+  - firewallzones
+  verbs:
+  - '*'
+- apiGroups:
+  - unifi.engen.priv.no
+  resources:
+  - firewallzones/status
+  verbs:
+  - get
--- a/config/rbac/firewallzone_editor_role.yaml
+++ b/config/rbac/firewallzone_editor_role.yaml
@@ -0,0 +1,33 @@
+# This rule is not used by the project unifi-network-operator itself.
+# It is provided to allow the cluster admin to help manage permissions for users.
+#
+# Grants permissions to create, update, and delete resources within the unifi.engen.priv.no.
+# This role is intended for users who need to manage these resources
+# but should not control RBAC or manage permissions for others.
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: unifi-network-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: firewallzone-editor-role
+rules:
+- apiGroups:
+  - unifi.engen.priv.no
+  resources:
+  - firewallzones
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - unifi.engen.priv.no
+  resources:
+  - firewallzones/status
+  verbs:
+  - get
--- a/config/rbac/firewallzone_viewer_role.yaml
+++ b/config/rbac/firewallzone_viewer_role.yaml
@@ -0,0 +1,29 @@
+# This rule is not used by the project unifi-network-operator itself.
+# It is provided to allow the cluster admin to help manage permissions for users.
+#
+# Grants read-only access to unifi.engen.priv.no resources.
+# This role is intended for users who need visibility into these resources
+# without permissions to modify them. It is ideal for monitoring purposes and limited-access viewing.
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: unifi-network-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: firewallzone-viewer-role
+rules:
+- apiGroups:
+  - unifi.engen.priv.no
+  resources:
+  - firewallzones
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - unifi.engen.priv.no
+  resources:
+  - firewallzones/status
+  verbs:
+  - get
--- a/config/rbac/kustomization.yaml
+++ b/config/rbac/kustomization.yaml
@@ -22,6 +22,12 @@ resources:
 # default, aiding admins in cluster management. Those roles are
 # not used by the {{ .ProjectName }} itself. You can comment the following lines
 # if you do not want those helpers be installed with your Project.
+- firewallrule_admin_role.yaml
+- firewallrule_editor_role.yaml
+- firewallrule_viewer_role.yaml
+- firewallzone_admin_role.yaml
+- firewallzone_editor_role.yaml
+- firewallzone_viewer_role.yaml
 - networkconfiguration_admin_role.yaml
 - networkconfiguration_editor_role.yaml
 - networkconfiguration_viewer_role.yaml
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -16,6 +16,8 @@ rules:
  - unifi.engen.priv.no
  resources:
  - firewallgroups
+  - firewallrules
+  - firewallzones
  - networkconfigurations
  verbs:
  - create
@@ -29,6 +31,8 @@ rules:
  - unifi.engen.priv.no
  resources:
  - firewallgroups/finalizers
+  - firewallrules/finalizers
+  - firewallzones/finalizers
  - networkconfigurations/finalizers
  verbs:
  - update
@@ -36,6 +40,8 @@ rules:
  - unifi.engen.priv.no
  resources:
  - firewallgroups/status
+  - firewallrules/status
+  - firewallzones/status
  - networkconfigurations/status
  verbs:
  - get