From c62b6e9a7cc55134c8729aa2919e4667553a18ee Mon Sep 17 00:00:00 2001 From: Kevin Date: Thu, 12 Mar 2026 11:55:51 -0700 Subject: [PATCH 1/6] chore: add taxonomy annotations to IAM roles for UI grouping --- .../organization-creator-policy/organization-creator-role.yaml | 2 ++ config/roles/iam-platform-access-approvals-admin.yaml | 2 ++ config/roles/iam-platform-access-approvals-editor.yaml | 2 ++ config/roles/iam-platform-access-approvals-reader.yaml | 2 ++ config/roles/iam-platform-access-rejections-admin.yaml | 2 ++ config/roles/iam-platform-access-rejections-editor.yaml | 2 ++ config/roles/iam-platform-access-rejections-reader.yaml | 2 ++ config/roles/iam-platform-invitations-admin.yaml | 2 ++ config/roles/iam-platform-invitations-editor.yaml | 2 ++ config/roles/iam-platform-invitations-reader.yaml | 2 ++ config/roles/iam-role-admin.yaml | 2 ++ config/roles/iam-role-editor.yaml | 2 ++ config/roles/iam-role-reader.yaml | 2 ++ config/roles/iam-user-deactivations-admin.yaml | 2 ++ config/roles/iam-user-deactivations-editor.yaml | 2 ++ config/roles/iam-user-deactivations-reader.yaml | 2 ++ config/roles/iam-user-invitations-admin.yaml | 2 ++ config/roles/iam-user-invitations-editor.yaml | 2 ++ config/roles/iam-user-invitations-reader.yaml | 2 ++ config/roles/iam-user-preferences-manager.yaml | 2 ++ config/roles/iam-user-self-manage.yaml | 2 ++ config/roles/iam.miloapis.com-acceptinvitation.yaml | 2 ++ config/roles/iam.miloapis.com-getinvitation.yaml | 2 ++ config/roles/notification-contact-admin.yaml | 2 ++ config/roles/notification-contact-editor.yaml | 2 ++ config/roles/notification-contact-group-admin.yaml | 2 ++ config/roles/notification-contact-group-editor.yaml | 2 ++ config/roles/notification-contact-group-membership-admin.yaml | 2 ++ config/roles/notification-contact-group-membership-editor.yaml | 2 ++ config/roles/notification-contact-group-membership-reader.yaml | 2 ++ .../notification-contact-group-membership-removal-admin.yaml | 2 ++ .../notification-contact-group-membership-removal-editor.yaml | 2 ++ .../notification-contact-group-membership-removal-reader.yaml | 2 ++ config/roles/notification-contact-group-reader.yaml | 2 ++ config/roles/notification-contact-reader.yaml | 2 ++ config/roles/notification-email-admin.yaml | 2 ++ config/roles/notification-email-broadcast-admin.yaml | 2 ++ config/roles/notification-email-broadcast-creator.yaml | 2 ++ config/roles/notification-email-broadcast-reader.yaml | 2 ++ config/roles/notification-email-creator.yaml | 2 ++ config/roles/notification-email-reader.yaml | 2 ++ config/roles/owner.yaml | 2 ++ config/roles/project-manager.yaml | 2 ++ config/roles/resourcemanager-admin.yaml | 2 ++ config/roles/resourcemanager-editor.yaml | 2 ++ config/roles/resourcemanager-reader.yaml | 2 ++ config/services/quota/iam/roles/quota-admin.yaml | 2 ++ config/services/quota/iam/roles/quota-manager.yaml | 2 ++ config/services/quota/iam/roles/quota-operator.yaml | 2 ++ 49 files changed, 98 insertions(+) diff --git a/config/optional-policies/organization-creator-policy/organization-creator-role.yaml b/config/optional-policies/organization-creator-policy/organization-creator-role.yaml index 1053b4d8..1495f09f 100644 --- a/config/optional-policies/organization-creator-policy/organization-creator-role.yaml +++ b/config/optional-policies/organization-creator-policy/organization-creator-role.yaml @@ -6,6 +6,8 @@ metadata: annotations: kubernetes.io/display-name: Organization Creator kubernetes.io/description: Allows creating new organizations + taxonomy.miloapis.com/product: Organization & Projects + taxonomy.miloapis.com/sort-order: "10" spec: launchStage: Beta includedPermissions: diff --git a/config/roles/iam-platform-access-approvals-admin.yaml b/config/roles/iam-platform-access-approvals-admin.yaml index 9380e4e6..e85d7b7e 100644 --- a/config/roles/iam-platform-access-approvals-admin.yaml +++ b/config/roles/iam-platform-access-approvals-admin.yaml @@ -5,6 +5,8 @@ metadata: annotations: kubernetes.io/display-name: Platform Access Approval Admin kubernetes.io/description: Full access to platform access approvals + taxonomy.miloapis.com/product: Identity & Access Management + taxonomy.miloapis.com/sort-order: "10" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/iam-platform-access-approvals-editor.yaml b/config/roles/iam-platform-access-approvals-editor.yaml index b0cb27a4..b2844f01 100644 --- a/config/roles/iam-platform-access-approvals-editor.yaml +++ b/config/roles/iam-platform-access-approvals-editor.yaml @@ -5,6 +5,8 @@ metadata: annotations: kubernetes.io/display-name: Platform Access Approval Editor kubernetes.io/description: Create, update, and delete platform access approvals + taxonomy.miloapis.com/product: Identity & Access Management + taxonomy.miloapis.com/sort-order: "20" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/iam-platform-access-approvals-reader.yaml b/config/roles/iam-platform-access-approvals-reader.yaml index 91f661be..feff4eb8 100644 --- a/config/roles/iam-platform-access-approvals-reader.yaml +++ b/config/roles/iam-platform-access-approvals-reader.yaml @@ -5,6 +5,8 @@ metadata: annotations: kubernetes.io/display-name: Platform Access Approval Viewer kubernetes.io/description: View platform access approvals + taxonomy.miloapis.com/product: Identity & Access Management + taxonomy.miloapis.com/sort-order: "30" spec: launchStage: Beta includedPermissions: diff --git a/config/roles/iam-platform-access-rejections-admin.yaml b/config/roles/iam-platform-access-rejections-admin.yaml index 662d5c6b..26ff0887 100644 --- a/config/roles/iam-platform-access-rejections-admin.yaml +++ b/config/roles/iam-platform-access-rejections-admin.yaml @@ -5,6 +5,8 @@ metadata: annotations: kubernetes.io/display-name: Platform Access Rejection Admin kubernetes.io/description: Full access to platform access rejections + taxonomy.miloapis.com/product: Identity & Access Management + taxonomy.miloapis.com/sort-order: "10" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/iam-platform-access-rejections-editor.yaml b/config/roles/iam-platform-access-rejections-editor.yaml index 1516a865..d752f977 100644 --- a/config/roles/iam-platform-access-rejections-editor.yaml +++ b/config/roles/iam-platform-access-rejections-editor.yaml @@ -5,6 +5,8 @@ metadata: annotations: kubernetes.io/display-name: Platform Access Rejection Editor kubernetes.io/description: Create, update, and delete platform access rejections + taxonomy.miloapis.com/product: Identity & Access Management + taxonomy.miloapis.com/sort-order: "20" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/iam-platform-access-rejections-reader.yaml b/config/roles/iam-platform-access-rejections-reader.yaml index 3369d7fc..13a04c4b 100644 --- a/config/roles/iam-platform-access-rejections-reader.yaml +++ b/config/roles/iam-platform-access-rejections-reader.yaml @@ -5,6 +5,8 @@ metadata: annotations: kubernetes.io/display-name: Platform Access Rejection Viewer kubernetes.io/description: View platform access rejections + taxonomy.miloapis.com/product: Identity & Access Management + taxonomy.miloapis.com/sort-order: "30" spec: launchStage: Beta includedPermissions: diff --git a/config/roles/iam-platform-invitations-admin.yaml b/config/roles/iam-platform-invitations-admin.yaml index 56d932c1..27af1077 100644 --- a/config/roles/iam-platform-invitations-admin.yaml +++ b/config/roles/iam-platform-invitations-admin.yaml @@ -5,6 +5,8 @@ metadata: annotations: kubernetes.io/display-name: Platform Invitation Admin kubernetes.io/description: Full access to platform invitations + taxonomy.miloapis.com/product: Identity & Access Management + taxonomy.miloapis.com/sort-order: "10" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/iam-platform-invitations-editor.yaml b/config/roles/iam-platform-invitations-editor.yaml index a27d4220..e1af8422 100644 --- a/config/roles/iam-platform-invitations-editor.yaml +++ b/config/roles/iam-platform-invitations-editor.yaml @@ -5,6 +5,8 @@ metadata: annotations: kubernetes.io/display-name: Platform Invitation Editor kubernetes.io/description: Create, update, and delete platform invitations + taxonomy.miloapis.com/product: Identity & Access Management + taxonomy.miloapis.com/sort-order: "20" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/iam-platform-invitations-reader.yaml b/config/roles/iam-platform-invitations-reader.yaml index 53ba19c6..b76e9e2f 100644 --- a/config/roles/iam-platform-invitations-reader.yaml +++ b/config/roles/iam-platform-invitations-reader.yaml @@ -5,6 +5,8 @@ metadata: annotations: kubernetes.io/display-name: Platform Invitation Viewer kubernetes.io/description: View platform invitations + taxonomy.miloapis.com/product: Identity & Access Management + taxonomy.miloapis.com/sort-order: "30" spec: launchStage: Beta includedPermissions: diff --git a/config/roles/iam-role-admin.yaml b/config/roles/iam-role-admin.yaml index fcac763d..3533556a 100644 --- a/config/roles/iam-role-admin.yaml +++ b/config/roles/iam-role-admin.yaml @@ -5,6 +5,8 @@ metadata: annotations: kubernetes.io/display-name: Role Admin kubernetes.io/description: Full access to IAM roles + taxonomy.miloapis.com/product: Identity & Access Management + taxonomy.miloapis.com/sort-order: "10" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/iam-role-editor.yaml b/config/roles/iam-role-editor.yaml index afc56290..b26ea14d 100644 --- a/config/roles/iam-role-editor.yaml +++ b/config/roles/iam-role-editor.yaml @@ -5,6 +5,8 @@ metadata: annotations: kubernetes.io/display-name: Role Editor kubernetes.io/description: Create, update, and delete IAM roles + taxonomy.miloapis.com/product: Identity & Access Management + taxonomy.miloapis.com/sort-order: "20" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/iam-role-reader.yaml b/config/roles/iam-role-reader.yaml index 3b477ba4..0699258c 100644 --- a/config/roles/iam-role-reader.yaml +++ b/config/roles/iam-role-reader.yaml @@ -5,6 +5,8 @@ metadata: annotations: kubernetes.io/display-name: Role Viewer kubernetes.io/description: View IAM roles + taxonomy.miloapis.com/product: Identity & Access Management + taxonomy.miloapis.com/sort-order: "30" spec: launchStage: Beta includedPermissions: diff --git a/config/roles/iam-user-deactivations-admin.yaml b/config/roles/iam-user-deactivations-admin.yaml index eef509fd..52069524 100644 --- a/config/roles/iam-user-deactivations-admin.yaml +++ b/config/roles/iam-user-deactivations-admin.yaml @@ -5,6 +5,8 @@ metadata: annotations: kubernetes.io/display-name: User Deactivation Admin kubernetes.io/description: Full access to user deactivations + taxonomy.miloapis.com/product: Identity & Access Management + taxonomy.miloapis.com/sort-order: "10" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/iam-user-deactivations-editor.yaml b/config/roles/iam-user-deactivations-editor.yaml index c4ffed8a..213f7df8 100644 --- a/config/roles/iam-user-deactivations-editor.yaml +++ b/config/roles/iam-user-deactivations-editor.yaml @@ -5,6 +5,8 @@ metadata: annotations: kubernetes.io/display-name: User Deactivation Editor kubernetes.io/description: Create, update, and delete user deactivations + taxonomy.miloapis.com/product: Identity & Access Management + taxonomy.miloapis.com/sort-order: "20" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/iam-user-deactivations-reader.yaml b/config/roles/iam-user-deactivations-reader.yaml index ce87b3d7..a03fd439 100644 --- a/config/roles/iam-user-deactivations-reader.yaml +++ b/config/roles/iam-user-deactivations-reader.yaml @@ -5,6 +5,8 @@ metadata: annotations: kubernetes.io/display-name: User Deactivation Viewer kubernetes.io/description: View user deactivations + taxonomy.miloapis.com/product: Identity & Access Management + taxonomy.miloapis.com/sort-order: "30" spec: launchStage: Beta includedPermissions: diff --git a/config/roles/iam-user-invitations-admin.yaml b/config/roles/iam-user-invitations-admin.yaml index ee98c14d..93d58916 100644 --- a/config/roles/iam-user-invitations-admin.yaml +++ b/config/roles/iam-user-invitations-admin.yaml @@ -5,6 +5,8 @@ metadata: annotations: kubernetes.io/display-name: User Invitation Admin kubernetes.io/description: Full access to user invitations + taxonomy.miloapis.com/product: Identity & Access Management + taxonomy.miloapis.com/sort-order: "10" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/iam-user-invitations-editor.yaml b/config/roles/iam-user-invitations-editor.yaml index f3f5c6dc..859a856e 100644 --- a/config/roles/iam-user-invitations-editor.yaml +++ b/config/roles/iam-user-invitations-editor.yaml @@ -5,6 +5,8 @@ metadata: annotations: kubernetes.io/display-name: User Invitation Editor kubernetes.io/description: Create, update, and delete user invitations + taxonomy.miloapis.com/product: Identity & Access Management + taxonomy.miloapis.com/sort-order: "20" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/iam-user-invitations-reader.yaml b/config/roles/iam-user-invitations-reader.yaml index 1231fa1f..237fe99a 100644 --- a/config/roles/iam-user-invitations-reader.yaml +++ b/config/roles/iam-user-invitations-reader.yaml @@ -5,6 +5,8 @@ metadata: annotations: kubernetes.io/display-name: User Invitation Viewer kubernetes.io/description: View user invitations + taxonomy.miloapis.com/product: Identity & Access Management + taxonomy.miloapis.com/sort-order: "30" spec: launchStage: Beta includedPermissions: diff --git a/config/roles/iam-user-preferences-manager.yaml b/config/roles/iam-user-preferences-manager.yaml index 2251c8ec..7ad6aa7d 100644 --- a/config/roles/iam-user-preferences-manager.yaml +++ b/config/roles/iam-user-preferences-manager.yaml @@ -5,6 +5,8 @@ metadata: annotations: kubernetes.io/display-name: User Preferences Manager kubernetes.io/description: "Allows users to manage their own user preferences only." + taxonomy.miloapis.com/product: Identity & Access Management + taxonomy.miloapis.com/sort-order: "40" spec: launchStage: Beta includedPermissions: diff --git a/config/roles/iam-user-self-manage.yaml b/config/roles/iam-user-self-manage.yaml index dbd57500..b9b9b8e0 100644 --- a/config/roles/iam-user-self-manage.yaml +++ b/config/roles/iam-user-self-manage.yaml @@ -5,6 +5,8 @@ metadata: annotations: kubernetes.io/display-name: User Self Manage kubernetes.io/description: "Allows users to manage their own user account." + taxonomy.miloapis.com/product: Identity & Access Management + taxonomy.miloapis.com/sort-order: "40" spec: launchStage: Beta includedPermissions: diff --git a/config/roles/iam.miloapis.com-acceptinvitation.yaml b/config/roles/iam.miloapis.com-acceptinvitation.yaml index 744dc107..2396729f 100644 --- a/config/roles/iam.miloapis.com-acceptinvitation.yaml +++ b/config/roles/iam.miloapis.com-acceptinvitation.yaml @@ -5,6 +5,8 @@ metadata: annotations: kubernetes.io/display-name: Accept Invitation kubernetes.io/description: Accept user invitations to join organizations + taxonomy.miloapis.com/product: Identity & Access Management + taxonomy.miloapis.com/sort-order: "40" spec: launchStage: Beta includedPermissions: diff --git a/config/roles/iam.miloapis.com-getinvitation.yaml b/config/roles/iam.miloapis.com-getinvitation.yaml index e219ea5c..0032e828 100644 --- a/config/roles/iam.miloapis.com-getinvitation.yaml +++ b/config/roles/iam.miloapis.com-getinvitation.yaml @@ -5,6 +5,8 @@ metadata: annotations: kubernetes.io/display-name: Get Invitation kubernetes.io/description: View user invitations + taxonomy.miloapis.com/product: Identity & Access Management + taxonomy.miloapis.com/sort-order: "40" spec: launchStage: Beta includedPermissions: diff --git a/config/roles/notification-contact-admin.yaml b/config/roles/notification-contact-admin.yaml index 1d025e05..c2067ade 100644 --- a/config/roles/notification-contact-admin.yaml +++ b/config/roles/notification-contact-admin.yaml @@ -5,6 +5,8 @@ metadata: annotations: kubernetes.io/display-name: Notification Contact Admin kubernetes.io/description: Full access to notification contacts + taxonomy.miloapis.com/product: Notifications + taxonomy.miloapis.com/sort-order: "10" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/notification-contact-editor.yaml b/config/roles/notification-contact-editor.yaml index 92f10785..f62c7255 100644 --- a/config/roles/notification-contact-editor.yaml +++ b/config/roles/notification-contact-editor.yaml @@ -5,6 +5,8 @@ metadata: annotations: kubernetes.io/display-name: Notification Contact Editor kubernetes.io/description: Create, update, and delete notification contacts + taxonomy.miloapis.com/product: Notifications + taxonomy.miloapis.com/sort-order: "20" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/notification-contact-group-admin.yaml b/config/roles/notification-contact-group-admin.yaml index c40c9f6c..70ff1417 100644 --- a/config/roles/notification-contact-group-admin.yaml +++ b/config/roles/notification-contact-group-admin.yaml @@ -5,6 +5,8 @@ metadata: annotations: kubernetes.io/display-name: Notification Contact Group Admin kubernetes.io/description: Full access to notification contact groups + taxonomy.miloapis.com/product: Notifications + taxonomy.miloapis.com/sort-order: "10" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/notification-contact-group-editor.yaml b/config/roles/notification-contact-group-editor.yaml index fa1df54a..8519fa25 100644 --- a/config/roles/notification-contact-group-editor.yaml +++ b/config/roles/notification-contact-group-editor.yaml @@ -5,6 +5,8 @@ metadata: annotations: kubernetes.io/display-name: Notification Contact Group Editor kubernetes.io/description: Create, update, and delete notification contact groups + taxonomy.miloapis.com/product: Notifications + taxonomy.miloapis.com/sort-order: "20" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/notification-contact-group-membership-admin.yaml b/config/roles/notification-contact-group-membership-admin.yaml index c44ed11d..cad30f27 100644 --- a/config/roles/notification-contact-group-membership-admin.yaml +++ b/config/roles/notification-contact-group-membership-admin.yaml @@ -5,6 +5,8 @@ metadata: annotations: kubernetes.io/display-name: Contact Group Membership Admin kubernetes.io/description: Full access to notification contact group memberships + taxonomy.miloapis.com/product: Notifications + taxonomy.miloapis.com/sort-order: "10" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/notification-contact-group-membership-editor.yaml b/config/roles/notification-contact-group-membership-editor.yaml index 3d157b51..ff3a6e46 100644 --- a/config/roles/notification-contact-group-membership-editor.yaml +++ b/config/roles/notification-contact-group-membership-editor.yaml @@ -5,6 +5,8 @@ metadata: annotations: kubernetes.io/display-name: Contact Group Membership Editor kubernetes.io/description: Create, update, and delete notification contact group memberships + taxonomy.miloapis.com/product: Notifications + taxonomy.miloapis.com/sort-order: "20" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/notification-contact-group-membership-reader.yaml b/config/roles/notification-contact-group-membership-reader.yaml index 9bbe461f..4ae3663f 100644 --- a/config/roles/notification-contact-group-membership-reader.yaml +++ b/config/roles/notification-contact-group-membership-reader.yaml @@ -5,6 +5,8 @@ metadata: annotations: kubernetes.io/display-name: Contact Group Membership Viewer kubernetes.io/description: View notification contact group memberships + taxonomy.miloapis.com/product: Notifications + taxonomy.miloapis.com/sort-order: "30" spec: launchStage: Beta includedPermissions: diff --git a/config/roles/notification-contact-group-membership-removal-admin.yaml b/config/roles/notification-contact-group-membership-removal-admin.yaml index 6675478f..79015361 100644 --- a/config/roles/notification-contact-group-membership-removal-admin.yaml +++ b/config/roles/notification-contact-group-membership-removal-admin.yaml @@ -5,6 +5,8 @@ metadata: annotations: kubernetes.io/display-name: Contact Group Membership Removal Admin kubernetes.io/description: Full access to notification contact group membership removals + taxonomy.miloapis.com/product: Notifications + taxonomy.miloapis.com/sort-order: "10" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/notification-contact-group-membership-removal-editor.yaml b/config/roles/notification-contact-group-membership-removal-editor.yaml index 456a51b7..f847fb21 100644 --- a/config/roles/notification-contact-group-membership-removal-editor.yaml +++ b/config/roles/notification-contact-group-membership-removal-editor.yaml @@ -5,6 +5,8 @@ metadata: annotations: kubernetes.io/display-name: Contact Group Membership Removal Editor kubernetes.io/description: Create, update, and delete notification contact group membership removals + taxonomy.miloapis.com/product: Notifications + taxonomy.miloapis.com/sort-order: "20" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/notification-contact-group-membership-removal-reader.yaml b/config/roles/notification-contact-group-membership-removal-reader.yaml index 6b5202d7..b0caef12 100644 --- a/config/roles/notification-contact-group-membership-removal-reader.yaml +++ b/config/roles/notification-contact-group-membership-removal-reader.yaml @@ -5,6 +5,8 @@ metadata: annotations: kubernetes.io/display-name: Contact Group Membership Removal Viewer kubernetes.io/description: View notification contact group membership removals + taxonomy.miloapis.com/product: Notifications + taxonomy.miloapis.com/sort-order: "30" spec: launchStage: Beta includedPermissions: diff --git a/config/roles/notification-contact-group-reader.yaml b/config/roles/notification-contact-group-reader.yaml index 9a98cdd3..65b52199 100644 --- a/config/roles/notification-contact-group-reader.yaml +++ b/config/roles/notification-contact-group-reader.yaml @@ -5,6 +5,8 @@ metadata: annotations: kubernetes.io/display-name: Notification Contact Group Viewer kubernetes.io/description: View notification contact groups + taxonomy.miloapis.com/product: Notifications + taxonomy.miloapis.com/sort-order: "30" spec: launchStage: Beta includedPermissions: diff --git a/config/roles/notification-contact-reader.yaml b/config/roles/notification-contact-reader.yaml index fab18525..815df645 100644 --- a/config/roles/notification-contact-reader.yaml +++ b/config/roles/notification-contact-reader.yaml @@ -5,6 +5,8 @@ metadata: annotations: kubernetes.io/display-name: Notification Contact Viewer kubernetes.io/description: View notification contacts + taxonomy.miloapis.com/product: Notifications + taxonomy.miloapis.com/sort-order: "30" spec: launchStage: Beta includedPermissions: diff --git a/config/roles/notification-email-admin.yaml b/config/roles/notification-email-admin.yaml index c88a0875..ba43af0b 100644 --- a/config/roles/notification-email-admin.yaml +++ b/config/roles/notification-email-admin.yaml @@ -5,6 +5,8 @@ metadata: annotations: kubernetes.io/display-name: Notification Email Admin kubernetes.io/description: Full access to notification emails + taxonomy.miloapis.com/product: Notifications + taxonomy.miloapis.com/sort-order: "10" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/notification-email-broadcast-admin.yaml b/config/roles/notification-email-broadcast-admin.yaml index 6b45b539..7141f924 100644 --- a/config/roles/notification-email-broadcast-admin.yaml +++ b/config/roles/notification-email-broadcast-admin.yaml @@ -5,6 +5,8 @@ metadata: annotations: kubernetes.io/display-name: Email Broadcast Admin kubernetes.io/description: Full access to email broadcasts + taxonomy.miloapis.com/product: Notifications + taxonomy.miloapis.com/sort-order: "10" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/notification-email-broadcast-creator.yaml b/config/roles/notification-email-broadcast-creator.yaml index a0e1f25d..de2733c2 100644 --- a/config/roles/notification-email-broadcast-creator.yaml +++ b/config/roles/notification-email-broadcast-creator.yaml @@ -5,6 +5,8 @@ metadata: annotations: kubernetes.io/display-name: Email Broadcast Creator kubernetes.io/description: Create and delete email broadcasts + taxonomy.miloapis.com/product: Notifications + taxonomy.miloapis.com/sort-order: "20" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/notification-email-broadcast-reader.yaml b/config/roles/notification-email-broadcast-reader.yaml index 3e744402..12a5f7d2 100644 --- a/config/roles/notification-email-broadcast-reader.yaml +++ b/config/roles/notification-email-broadcast-reader.yaml @@ -5,6 +5,8 @@ metadata: annotations: kubernetes.io/display-name: Email Broadcast Viewer kubernetes.io/description: View email broadcasts + taxonomy.miloapis.com/product: Notifications + taxonomy.miloapis.com/sort-order: "30" spec: launchStage: Beta includedPermissions: diff --git a/config/roles/notification-email-creator.yaml b/config/roles/notification-email-creator.yaml index cf25bf57..05fc037c 100644 --- a/config/roles/notification-email-creator.yaml +++ b/config/roles/notification-email-creator.yaml @@ -5,6 +5,8 @@ metadata: annotations: kubernetes.io/display-name: Notification Email Creator kubernetes.io/description: Create notification emails + taxonomy.miloapis.com/product: Notifications + taxonomy.miloapis.com/sort-order: "20" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/notification-email-reader.yaml b/config/roles/notification-email-reader.yaml index f9ecd4ed..49e737ec 100644 --- a/config/roles/notification-email-reader.yaml +++ b/config/roles/notification-email-reader.yaml @@ -5,6 +5,8 @@ metadata: annotations: kubernetes.io/display-name: Notification Email Viewer kubernetes.io/description: View notification emails + taxonomy.miloapis.com/product: Notifications + taxonomy.miloapis.com/sort-order: "30" spec: launchStage: Beta includedPermissions: diff --git a/config/roles/owner.yaml b/config/roles/owner.yaml index bea1225d..87031dfa 100644 --- a/config/roles/owner.yaml +++ b/config/roles/owner.yaml @@ -5,6 +5,8 @@ metadata: annotations: kubernetes.io/display-name: Owner kubernetes.io/description: Full access to all platform resources including resource management, IAM, and core platform + taxonomy.miloapis.com/product: Organization & Projects + taxonomy.miloapis.com/sort-order: "10" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/project-manager.yaml b/config/roles/project-manager.yaml index 2bd34e8f..a937dbc8 100644 --- a/config/roles/project-manager.yaml +++ b/config/roles/project-manager.yaml @@ -5,6 +5,8 @@ metadata: annotations: kubernetes.io/display-name: Project Manager kubernetes.io/description: Full access to projects including create, update, and delete + taxonomy.miloapis.com/product: Organization & Projects + taxonomy.miloapis.com/sort-order: "20" spec: launchStage: Beta includedPermissions: diff --git a/config/roles/resourcemanager-admin.yaml b/config/roles/resourcemanager-admin.yaml index 687f871c..c97c5668 100644 --- a/config/roles/resourcemanager-admin.yaml +++ b/config/roles/resourcemanager-admin.yaml @@ -5,6 +5,8 @@ metadata: annotations: kubernetes.io/display-name: Resource Manager Admin kubernetes.io/description: Full access to manage organizations and projects + taxonomy.miloapis.com/product: Organization & Projects + taxonomy.miloapis.com/sort-order: "10" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/resourcemanager-editor.yaml b/config/roles/resourcemanager-editor.yaml index dd31fd88..f8088afc 100644 --- a/config/roles/resourcemanager-editor.yaml +++ b/config/roles/resourcemanager-editor.yaml @@ -5,6 +5,8 @@ metadata: annotations: kubernetes.io/display-name: Resource Manager Editor kubernetes.io/description: Edit access to organizations and projects + taxonomy.miloapis.com/product: Organization & Projects + taxonomy.miloapis.com/sort-order: "20" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/resourcemanager-reader.yaml b/config/roles/resourcemanager-reader.yaml index 7389f3a7..62f7954d 100644 --- a/config/roles/resourcemanager-reader.yaml +++ b/config/roles/resourcemanager-reader.yaml @@ -5,6 +5,8 @@ metadata: annotations: kubernetes.io/display-name: Resource Manager Viewer kubernetes.io/description: View access to organizations and projects + taxonomy.miloapis.com/product: Organization & Projects + taxonomy.miloapis.com/sort-order: "30" spec: launchStage: Beta includedPermissions: diff --git a/config/services/quota/iam/roles/quota-admin.yaml b/config/services/quota/iam/roles/quota-admin.yaml index c0b8bc37..aedfe555 100644 --- a/config/services/quota/iam/roles/quota-admin.yaml +++ b/config/services/quota/iam/roles/quota-admin.yaml @@ -6,6 +6,8 @@ metadata: annotations: kubernetes.io/display-name: Quota Admin kubernetes.io/description: Full access to quota resources including resource registrations, grants, claims, allowance buckets, and creation policies + taxonomy.miloapis.com/product: Quota + taxonomy.miloapis.com/sort-order: "10" labels: quota.miloapis.com/role-type: admin quota.miloapis.com/service: quota diff --git a/config/services/quota/iam/roles/quota-manager.yaml b/config/services/quota/iam/roles/quota-manager.yaml index 5a076601..626cdef8 100644 --- a/config/services/quota/iam/roles/quota-manager.yaml +++ b/config/services/quota/iam/roles/quota-manager.yaml @@ -6,6 +6,8 @@ metadata: annotations: kubernetes.io/display-name: Quota Manager kubernetes.io/description: Manage quota grants and claims, with read access to resource registrations and creation policies + taxonomy.miloapis.com/product: Quota + taxonomy.miloapis.com/sort-order: "20" labels: quota.miloapis.com/role-type: manager quota.miloapis.com/service: quota diff --git a/config/services/quota/iam/roles/quota-operator.yaml b/config/services/quota/iam/roles/quota-operator.yaml index 7fbcaea6..7d0cff37 100644 --- a/config/services/quota/iam/roles/quota-operator.yaml +++ b/config/services/quota/iam/roles/quota-operator.yaml @@ -6,6 +6,8 @@ metadata: annotations: kubernetes.io/display-name: Quota Operator kubernetes.io/description: Operational access to quota resources for system reconciliation, including full management of allowance buckets + taxonomy.miloapis.com/product: Quota + taxonomy.miloapis.com/sort-order: "30" labels: quota.miloapis.com/role-type: operator quota.miloapis.com/service: quota From ba45ab175599d67eb47e3399fbfed11825b1774e Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Thu, 12 Mar 2026 18:56:36 +0000 Subject: [PATCH 2/6] chore: add missing newlines at end of files MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 🤖 Automatically added newlines to 4 file(s) Co-Authored-By: github-actions[bot] --- config/roles/iam-role-admin.yaml | 2 +- config/roles/iam-role-editor.yaml | 2 +- config/roles/iam-role-reader.yaml | 2 +- config/roles/iam-user-preferences-manager.yaml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/config/roles/iam-role-admin.yaml b/config/roles/iam-role-admin.yaml index 3533556a..7ef6e8cb 100644 --- a/config/roles/iam-role-admin.yaml +++ b/config/roles/iam-role-admin.yaml @@ -10,4 +10,4 @@ metadata: spec: launchStage: Beta inheritedRoles: - - name: role-editor \ No newline at end of file + - name: role-editor diff --git a/config/roles/iam-role-editor.yaml b/config/roles/iam-role-editor.yaml index b26ea14d..24819c89 100644 --- a/config/roles/iam-role-editor.yaml +++ b/config/roles/iam-role-editor.yaml @@ -15,4 +15,4 @@ spec: - iam.miloapis.com/roles.create - iam.miloapis.com/roles.update - iam.miloapis.com/roles.patch - - iam.miloapis.com/roles.delete \ No newline at end of file + - iam.miloapis.com/roles.delete diff --git a/config/roles/iam-role-reader.yaml b/config/roles/iam-role-reader.yaml index 0699258c..6c0ece4a 100644 --- a/config/roles/iam-role-reader.yaml +++ b/config/roles/iam-role-reader.yaml @@ -12,4 +12,4 @@ spec: includedPermissions: - iam.miloapis.com/roles.get - iam.miloapis.com/roles.list - - iam.miloapis.com/roles.watch \ No newline at end of file + - iam.miloapis.com/roles.watch diff --git a/config/roles/iam-user-preferences-manager.yaml b/config/roles/iam-user-preferences-manager.yaml index 7ad6aa7d..4e7e943d 100644 --- a/config/roles/iam-user-preferences-manager.yaml +++ b/config/roles/iam-user-preferences-manager.yaml @@ -12,4 +12,4 @@ spec: includedPermissions: - iam.miloapis.com/userpreferences.get - iam.miloapis.com/userpreferences.update - - iam.miloapis.com/userpreferences.patch \ No newline at end of file + - iam.miloapis.com/userpreferences.patch From f1706196fd5441b36a3eaddc4748b311b1581967 Mon Sep 17 00:00:00 2001 From: Kevin Date: Sun, 15 Mar 2026 13:59:34 -0700 Subject: [PATCH 3/6] chore: add role-category labels and missing taxonomy annotations to IAM roles Adds taxonomy.miloapis.com/role-category label to all 72 IAM role files to support filterByLabel in the cloud portal UI. Three values are used: - platform: IAM, resource management, org/project, quota, core roles - feature: CRM notes and notification roles - service: reserved for infrastructure services (DNS, Network, Activity, etc.) Also adds missing taxonomy.miloapis.com/product and sort-order annotations to 24 previously unclassified roles (iam-admin/editor/viewer, identity session viewer, organizationmembership-*, core-*, apiextensions-reader, crm-note-*, quota-viewer, organization-quota-manager). Adds docs/architecture/identity-and-access-management/role-taxonomy.md as a reference for service teams adding roles in other repos. --- .../organization-creator-role.yaml | 2 + config/roles/apiextensions-reader.yaml | 4 + config/roles/core-admin.yaml | 4 + config/roles/core-editor.yaml | 4 + config/roles/core-reader.yaml | 4 + config/roles/iam-admin.yaml | 4 + config/roles/iam-editor.yaml | 4 + .../iam-platform-access-approvals-admin.yaml | 2 + .../iam-platform-access-approvals-editor.yaml | 2 + .../iam-platform-access-approvals-reader.yaml | 2 + .../iam-platform-access-rejections-admin.yaml | 2 + ...iam-platform-access-rejections-editor.yaml | 2 + ...iam-platform-access-rejections-reader.yaml | 2 + .../roles/iam-platform-invitations-admin.yaml | 2 + .../iam-platform-invitations-editor.yaml | 2 + .../iam-platform-invitations-reader.yaml | 2 + config/roles/iam-role-admin.yaml | 2 + config/roles/iam-role-editor.yaml | 2 + config/roles/iam-role-reader.yaml | 2 + .../roles/iam-user-deactivations-admin.yaml | 2 + .../roles/iam-user-deactivations-editor.yaml | 2 + .../roles/iam-user-deactivations-reader.yaml | 2 + config/roles/iam-user-invitations-admin.yaml | 2 + config/roles/iam-user-invitations-editor.yaml | 2 + config/roles/iam-user-invitations-reader.yaml | 2 + .../roles/iam-user-preferences-manager.yaml | 2 + config/roles/iam-user-self-manage.yaml | 2 + config/roles/iam-viewer.yaml | 4 + .../iam.miloapis.com-acceptinvitation.yaml | 2 + .../roles/iam.miloapis.com-getinvitation.yaml | 2 + .../roles/identity-user-session-viewer.yaml | 4 + config/roles/notes-admin.yaml | 4 + config/roles/notes-creator-editor.yaml | 4 + config/roles/notes-creator.yaml | 4 + config/roles/notes-editor.yaml | 4 + config/roles/notes-viewer.yaml | 4 + config/roles/notification-contact-admin.yaml | 2 + config/roles/notification-contact-editor.yaml | 2 + .../notification-contact-group-admin.yaml | 2 + .../notification-contact-group-editor.yaml | 2 + ...cation-contact-group-membership-admin.yaml | 2 + ...ation-contact-group-membership-editor.yaml | 2 + ...ation-contact-group-membership-reader.yaml | 2 + ...ontact-group-membership-removal-admin.yaml | 2 + ...ntact-group-membership-removal-editor.yaml | 2 + ...ntact-group-membership-removal-reader.yaml | 2 + .../notification-contact-group-reader.yaml | 2 + config/roles/notification-contact-reader.yaml | 2 + config/roles/notification-email-admin.yaml | 2 + .../notification-email-broadcast-admin.yaml | 2 + .../notification-email-broadcast-creator.yaml | 2 + .../notification-email-broadcast-reader.yaml | 2 + config/roles/notification-email-creator.yaml | 2 + config/roles/notification-email-reader.yaml | 2 + config/roles/organization-admin.yaml | 4 + config/roles/organization-viewer.yaml | 4 + .../roles/organizationmembership-admin.yaml | 4 + .../roles/organizationmembership-editor.yaml | 4 + .../roles/organizationmembership-reader.yaml | 4 + .../organizationmembership-self-delete.yaml | 4 + config/roles/owner.yaml | 4 +- config/roles/project-admin.yaml | 4 + config/roles/project-manager.yaml | 2 + config/roles/project-viewer.yaml | 4 + config/roles/resourcemanager-admin.yaml | 2 + config/roles/resourcemanager-editor.yaml | 2 + config/roles/resourcemanager-reader.yaml | 2 + .../iam/roles/organization-quota-manager.yaml | 3 + .../services/quota/iam/roles/quota-admin.yaml | 1 + .../quota/iam/roles/quota-manager.yaml | 1 + .../quota/iam/roles/quota-operator.yaml | 1 + .../quota/iam/roles/quota-viewer.yaml | 3 + .../role-taxonomy.md | 74 +++++++++++++++++++ 73 files changed, 260 insertions(+), 1 deletion(-) create mode 100644 docs/architecture/identity-and-access-management/role-taxonomy.md diff --git a/config/optional-policies/organization-creator-policy/organization-creator-role.yaml b/config/optional-policies/organization-creator-policy/organization-creator-role.yaml index 1495f09f..e24e1524 100644 --- a/config/optional-policies/organization-creator-policy/organization-creator-role.yaml +++ b/config/optional-policies/organization-creator-policy/organization-creator-role.yaml @@ -2,6 +2,8 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: organization-creator + labels: + taxonomy.miloapis.com/role-category: platform namespace: milo-system annotations: kubernetes.io/display-name: Organization Creator diff --git a/config/roles/apiextensions-reader.yaml b/config/roles/apiextensions-reader.yaml index 569f89ee..a32663da 100644 --- a/config/roles/apiextensions-reader.yaml +++ b/config/roles/apiextensions-reader.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: apiextensions-reader + labels: + taxonomy.miloapis.com/role-category: platform annotations: kubernetes.io/display-name: API Extensions Viewer kubernetes.io/description: View access to custom resource definitions + taxonomy.miloapis.com/product: "Platform Core" + taxonomy.miloapis.com/sort-order: "40" spec: launchStage: Beta includedPermissions: diff --git a/config/roles/core-admin.yaml b/config/roles/core-admin.yaml index f861e2f9..97757097 100644 --- a/config/roles/core-admin.yaml +++ b/config/roles/core-admin.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: core-admin + labels: + taxonomy.miloapis.com/role-category: platform annotations: kubernetes.io/display-name: Core Admin kubernetes.io/description: Full access to core platform resources including secrets, configmaps, and namespaces + taxonomy.miloapis.com/product: "Platform Core" + taxonomy.miloapis.com/sort-order: "10" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/core-editor.yaml b/config/roles/core-editor.yaml index cb7300ce..71c2e0cb 100644 --- a/config/roles/core-editor.yaml +++ b/config/roles/core-editor.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: core-editor + labels: + taxonomy.miloapis.com/role-category: platform annotations: kubernetes.io/display-name: Core Editor kubernetes.io/description: Edit access to core platform resources including secrets, configmaps, and namespaces + taxonomy.miloapis.com/product: "Platform Core" + taxonomy.miloapis.com/sort-order: "20" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/core-reader.yaml b/config/roles/core-reader.yaml index 5d6cbe6d..f690a162 100644 --- a/config/roles/core-reader.yaml +++ b/config/roles/core-reader.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: core-reader + labels: + taxonomy.miloapis.com/role-category: platform annotations: kubernetes.io/display-name: Core Reader kubernetes.io/description: View access to core platform resources including secrets, configmaps, and namespaces + taxonomy.miloapis.com/product: "Platform Core" + taxonomy.miloapis.com/sort-order: "30" spec: launchStage: Beta includedPermissions: diff --git a/config/roles/iam-admin.yaml b/config/roles/iam-admin.yaml index fa1ddf2a..5e810944 100644 --- a/config/roles/iam-admin.yaml +++ b/config/roles/iam-admin.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: iam-admin + labels: + taxonomy.miloapis.com/role-category: platform annotations: kubernetes.io/display-name: IAM Admin kubernetes.io/description: "Full access to all IAM resources" + taxonomy.miloapis.com/product: "Identity & Access Management" + taxonomy.miloapis.com/sort-order: "10" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/iam-editor.yaml b/config/roles/iam-editor.yaml index f1c084cf..2c85a4ae 100644 --- a/config/roles/iam-editor.yaml +++ b/config/roles/iam-editor.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: iam-editor + labels: + taxonomy.miloapis.com/role-category: platform annotations: kubernetes.io/display-name: IAM Editor kubernetes.io/description: "Edit IAM resources" + taxonomy.miloapis.com/product: "Identity & Access Management" + taxonomy.miloapis.com/sort-order: "20" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/iam-platform-access-approvals-admin.yaml b/config/roles/iam-platform-access-approvals-admin.yaml index e85d7b7e..5f61a7e0 100644 --- a/config/roles/iam-platform-access-approvals-admin.yaml +++ b/config/roles/iam-platform-access-approvals-admin.yaml @@ -2,6 +2,8 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: iam-platform-access-approvals-admin + labels: + taxonomy.miloapis.com/role-category: platform annotations: kubernetes.io/display-name: Platform Access Approval Admin kubernetes.io/description: Full access to platform access approvals diff --git a/config/roles/iam-platform-access-approvals-editor.yaml b/config/roles/iam-platform-access-approvals-editor.yaml index b2844f01..ac953e23 100644 --- a/config/roles/iam-platform-access-approvals-editor.yaml +++ b/config/roles/iam-platform-access-approvals-editor.yaml @@ -2,6 +2,8 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: iam-platform-access-approvals-editor + labels: + taxonomy.miloapis.com/role-category: platform annotations: kubernetes.io/display-name: Platform Access Approval Editor kubernetes.io/description: Create, update, and delete platform access approvals diff --git a/config/roles/iam-platform-access-approvals-reader.yaml b/config/roles/iam-platform-access-approvals-reader.yaml index feff4eb8..14c57d8e 100644 --- a/config/roles/iam-platform-access-approvals-reader.yaml +++ b/config/roles/iam-platform-access-approvals-reader.yaml @@ -2,6 +2,8 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: iam-platform-access-approvals-reader + labels: + taxonomy.miloapis.com/role-category: platform annotations: kubernetes.io/display-name: Platform Access Approval Viewer kubernetes.io/description: View platform access approvals diff --git a/config/roles/iam-platform-access-rejections-admin.yaml b/config/roles/iam-platform-access-rejections-admin.yaml index 26ff0887..d89f0166 100644 --- a/config/roles/iam-platform-access-rejections-admin.yaml +++ b/config/roles/iam-platform-access-rejections-admin.yaml @@ -2,6 +2,8 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: iam-platform-access-rejections-admin + labels: + taxonomy.miloapis.com/role-category: platform annotations: kubernetes.io/display-name: Platform Access Rejection Admin kubernetes.io/description: Full access to platform access rejections diff --git a/config/roles/iam-platform-access-rejections-editor.yaml b/config/roles/iam-platform-access-rejections-editor.yaml index d752f977..c4a2ffce 100644 --- a/config/roles/iam-platform-access-rejections-editor.yaml +++ b/config/roles/iam-platform-access-rejections-editor.yaml @@ -2,6 +2,8 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: iam-platform-access-rejections-editor + labels: + taxonomy.miloapis.com/role-category: platform annotations: kubernetes.io/display-name: Platform Access Rejection Editor kubernetes.io/description: Create, update, and delete platform access rejections diff --git a/config/roles/iam-platform-access-rejections-reader.yaml b/config/roles/iam-platform-access-rejections-reader.yaml index 13a04c4b..4741c050 100644 --- a/config/roles/iam-platform-access-rejections-reader.yaml +++ b/config/roles/iam-platform-access-rejections-reader.yaml @@ -2,6 +2,8 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: iam-platform-access-rejections-reader + labels: + taxonomy.miloapis.com/role-category: platform annotations: kubernetes.io/display-name: Platform Access Rejection Viewer kubernetes.io/description: View platform access rejections diff --git a/config/roles/iam-platform-invitations-admin.yaml b/config/roles/iam-platform-invitations-admin.yaml index 27af1077..7e09eee8 100644 --- a/config/roles/iam-platform-invitations-admin.yaml +++ b/config/roles/iam-platform-invitations-admin.yaml @@ -2,6 +2,8 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: iam-platform-invitations-admin + labels: + taxonomy.miloapis.com/role-category: platform annotations: kubernetes.io/display-name: Platform Invitation Admin kubernetes.io/description: Full access to platform invitations diff --git a/config/roles/iam-platform-invitations-editor.yaml b/config/roles/iam-platform-invitations-editor.yaml index e1af8422..e149c72f 100644 --- a/config/roles/iam-platform-invitations-editor.yaml +++ b/config/roles/iam-platform-invitations-editor.yaml @@ -2,6 +2,8 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: iam-platform-invitations-editor + labels: + taxonomy.miloapis.com/role-category: platform annotations: kubernetes.io/display-name: Platform Invitation Editor kubernetes.io/description: Create, update, and delete platform invitations diff --git a/config/roles/iam-platform-invitations-reader.yaml b/config/roles/iam-platform-invitations-reader.yaml index b76e9e2f..42d95414 100644 --- a/config/roles/iam-platform-invitations-reader.yaml +++ b/config/roles/iam-platform-invitations-reader.yaml @@ -2,6 +2,8 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: iam-platform-invitations-reader + labels: + taxonomy.miloapis.com/role-category: platform annotations: kubernetes.io/display-name: Platform Invitation Viewer kubernetes.io/description: View platform invitations diff --git a/config/roles/iam-role-admin.yaml b/config/roles/iam-role-admin.yaml index 7ef6e8cb..0d49734a 100644 --- a/config/roles/iam-role-admin.yaml +++ b/config/roles/iam-role-admin.yaml @@ -2,6 +2,8 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: role-admin + labels: + taxonomy.miloapis.com/role-category: platform annotations: kubernetes.io/display-name: Role Admin kubernetes.io/description: Full access to IAM roles diff --git a/config/roles/iam-role-editor.yaml b/config/roles/iam-role-editor.yaml index 24819c89..d2afbbff 100644 --- a/config/roles/iam-role-editor.yaml +++ b/config/roles/iam-role-editor.yaml @@ -2,6 +2,8 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: role-editor + labels: + taxonomy.miloapis.com/role-category: platform annotations: kubernetes.io/display-name: Role Editor kubernetes.io/description: Create, update, and delete IAM roles diff --git a/config/roles/iam-role-reader.yaml b/config/roles/iam-role-reader.yaml index 6c0ece4a..27204cc2 100644 --- a/config/roles/iam-role-reader.yaml +++ b/config/roles/iam-role-reader.yaml @@ -2,6 +2,8 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: role-reader + labels: + taxonomy.miloapis.com/role-category: platform annotations: kubernetes.io/display-name: Role Viewer kubernetes.io/description: View IAM roles diff --git a/config/roles/iam-user-deactivations-admin.yaml b/config/roles/iam-user-deactivations-admin.yaml index 52069524..e2652a72 100644 --- a/config/roles/iam-user-deactivations-admin.yaml +++ b/config/roles/iam-user-deactivations-admin.yaml @@ -2,6 +2,8 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: iam-user-deactivations-admin + labels: + taxonomy.miloapis.com/role-category: platform annotations: kubernetes.io/display-name: User Deactivation Admin kubernetes.io/description: Full access to user deactivations diff --git a/config/roles/iam-user-deactivations-editor.yaml b/config/roles/iam-user-deactivations-editor.yaml index 213f7df8..f4fe1f73 100644 --- a/config/roles/iam-user-deactivations-editor.yaml +++ b/config/roles/iam-user-deactivations-editor.yaml @@ -2,6 +2,8 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: iam-user-deactivations-editor + labels: + taxonomy.miloapis.com/role-category: platform annotations: kubernetes.io/display-name: User Deactivation Editor kubernetes.io/description: Create, update, and delete user deactivations diff --git a/config/roles/iam-user-deactivations-reader.yaml b/config/roles/iam-user-deactivations-reader.yaml index a03fd439..6af4053d 100644 --- a/config/roles/iam-user-deactivations-reader.yaml +++ b/config/roles/iam-user-deactivations-reader.yaml @@ -2,6 +2,8 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: iam-user-deactivations-reader + labels: + taxonomy.miloapis.com/role-category: platform annotations: kubernetes.io/display-name: User Deactivation Viewer kubernetes.io/description: View user deactivations diff --git a/config/roles/iam-user-invitations-admin.yaml b/config/roles/iam-user-invitations-admin.yaml index 93d58916..dba02cb0 100644 --- a/config/roles/iam-user-invitations-admin.yaml +++ b/config/roles/iam-user-invitations-admin.yaml @@ -2,6 +2,8 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: iam-user-invitations-admin + labels: + taxonomy.miloapis.com/role-category: platform annotations: kubernetes.io/display-name: User Invitation Admin kubernetes.io/description: Full access to user invitations diff --git a/config/roles/iam-user-invitations-editor.yaml b/config/roles/iam-user-invitations-editor.yaml index 859a856e..2c43b2b6 100644 --- a/config/roles/iam-user-invitations-editor.yaml +++ b/config/roles/iam-user-invitations-editor.yaml @@ -2,6 +2,8 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: iam-user-invitations-editor + labels: + taxonomy.miloapis.com/role-category: platform annotations: kubernetes.io/display-name: User Invitation Editor kubernetes.io/description: Create, update, and delete user invitations diff --git a/config/roles/iam-user-invitations-reader.yaml b/config/roles/iam-user-invitations-reader.yaml index 237fe99a..dfc4017c 100644 --- a/config/roles/iam-user-invitations-reader.yaml +++ b/config/roles/iam-user-invitations-reader.yaml @@ -2,6 +2,8 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: iam-user-invitations-reader + labels: + taxonomy.miloapis.com/role-category: platform annotations: kubernetes.io/display-name: User Invitation Viewer kubernetes.io/description: View user invitations diff --git a/config/roles/iam-user-preferences-manager.yaml b/config/roles/iam-user-preferences-manager.yaml index 4e7e943d..c906cd51 100644 --- a/config/roles/iam-user-preferences-manager.yaml +++ b/config/roles/iam-user-preferences-manager.yaml @@ -2,6 +2,8 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: iam-user-preferences-manager + labels: + taxonomy.miloapis.com/role-category: platform annotations: kubernetes.io/display-name: User Preferences Manager kubernetes.io/description: "Allows users to manage their own user preferences only." diff --git a/config/roles/iam-user-self-manage.yaml b/config/roles/iam-user-self-manage.yaml index b9b9b8e0..123a7d32 100644 --- a/config/roles/iam-user-self-manage.yaml +++ b/config/roles/iam-user-self-manage.yaml @@ -2,6 +2,8 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: iam-user-self-manage + labels: + taxonomy.miloapis.com/role-category: platform annotations: kubernetes.io/display-name: User Self Manage kubernetes.io/description: "Allows users to manage their own user account." diff --git a/config/roles/iam-viewer.yaml b/config/roles/iam-viewer.yaml index 99279153..596176ed 100644 --- a/config/roles/iam-viewer.yaml +++ b/config/roles/iam-viewer.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: iam-viewer + labels: + taxonomy.miloapis.com/role-category: platform annotations: kubernetes.io/display-name: IAM Viewer kubernetes.io/description: "View IAM resources" + taxonomy.miloapis.com/product: "Identity & Access Management" + taxonomy.miloapis.com/sort-order: "30" spec: launchStage: Beta includedPermissions: diff --git a/config/roles/iam.miloapis.com-acceptinvitation.yaml b/config/roles/iam.miloapis.com-acceptinvitation.yaml index 2396729f..14a65abf 100644 --- a/config/roles/iam.miloapis.com-acceptinvitation.yaml +++ b/config/roles/iam.miloapis.com-acceptinvitation.yaml @@ -2,6 +2,8 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: iam.miloapis.com-acceptinvitation + labels: + taxonomy.miloapis.com/role-category: platform annotations: kubernetes.io/display-name: Accept Invitation kubernetes.io/description: Accept user invitations to join organizations diff --git a/config/roles/iam.miloapis.com-getinvitation.yaml b/config/roles/iam.miloapis.com-getinvitation.yaml index 0032e828..e0a1a6ac 100644 --- a/config/roles/iam.miloapis.com-getinvitation.yaml +++ b/config/roles/iam.miloapis.com-getinvitation.yaml @@ -2,6 +2,8 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: iam.miloapis.com-getinvitation + labels: + taxonomy.miloapis.com/role-category: platform annotations: kubernetes.io/display-name: Get Invitation kubernetes.io/description: View user invitations diff --git a/config/roles/identity-user-session-viewer.yaml b/config/roles/identity-user-session-viewer.yaml index 9d71299e..b44e30f6 100644 --- a/config/roles/identity-user-session-viewer.yaml +++ b/config/roles/identity-user-session-viewer.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: identity-user-session-viewer + labels: + taxonomy.miloapis.com/role-category: platform annotations: kubernetes.io/display-name: Identity User-Session Viewer kubernetes.io/description: "Allows viewing user sessions and user identities." + taxonomy.miloapis.com/product: "Identity & Access Management" + taxonomy.miloapis.com/sort-order: "30" spec: launchStage: Beta includedPermissions: diff --git a/config/roles/notes-admin.yaml b/config/roles/notes-admin.yaml index 11ffc36b..630e3a30 100644 --- a/config/roles/notes-admin.yaml +++ b/config/roles/notes-admin.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: notes-admin + labels: + taxonomy.miloapis.com/role-category: feature annotations: kubernetes.io/display-name: Notes Admin kubernetes.io/description: "Full administrative access to notes and cluster notes." + taxonomy.miloapis.com/product: "Notes" + taxonomy.miloapis.com/sort-order: "10" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/notes-creator-editor.yaml b/config/roles/notes-creator-editor.yaml index 9d2fd3c9..84579b16 100644 --- a/config/roles/notes-creator-editor.yaml +++ b/config/roles/notes-creator-editor.yaml @@ -2,7 +2,11 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: notes-creator-editor + labels: + taxonomy.miloapis.com/role-category: feature annotations: + taxonomy.miloapis.com/product: "Notes" + taxonomy.miloapis.com/sort-order: "20" kubernetes.io/display-name: Notes Creator Editor kubernetes.io/description: "Allows the creator of a note to edit and delete their own note." spec: diff --git a/config/roles/notes-creator.yaml b/config/roles/notes-creator.yaml index 30a51b48..fac14842 100644 --- a/config/roles/notes-creator.yaml +++ b/config/roles/notes-creator.yaml @@ -2,7 +2,11 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: notes-creator + labels: + taxonomy.miloapis.com/role-category: feature annotations: + taxonomy.miloapis.com/product: "Notes" + taxonomy.miloapis.com/sort-order: "20" kubernetes.io/display-name: Notes Creator kubernetes.io/description: "Allows creating notes and cluster notes." spec: diff --git a/config/roles/notes-editor.yaml b/config/roles/notes-editor.yaml index b51eb86c..6b0d6dc5 100644 --- a/config/roles/notes-editor.yaml +++ b/config/roles/notes-editor.yaml @@ -2,7 +2,11 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: notes-editor + labels: + taxonomy.miloapis.com/role-category: feature annotations: + taxonomy.miloapis.com/product: "Notes" + taxonomy.miloapis.com/sort-order: "20" kubernetes.io/display-name: Notes Editor kubernetes.io/description: "Allows creating, editing, and deleting notes and cluster notes." spec: diff --git a/config/roles/notes-viewer.yaml b/config/roles/notes-viewer.yaml index 843d07f9..162dfeeb 100644 --- a/config/roles/notes-viewer.yaml +++ b/config/roles/notes-viewer.yaml @@ -2,7 +2,11 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: notes-viewer + labels: + taxonomy.miloapis.com/role-category: feature annotations: + taxonomy.miloapis.com/product: "Notes" + taxonomy.miloapis.com/sort-order: "30" kubernetes.io/display-name: Notes Viewer kubernetes.io/description: "Allows viewing notes and cluster notes." spec: diff --git a/config/roles/notification-contact-admin.yaml b/config/roles/notification-contact-admin.yaml index c2067ade..d244d633 100644 --- a/config/roles/notification-contact-admin.yaml +++ b/config/roles/notification-contact-admin.yaml @@ -2,6 +2,8 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: notification-contact-admin + labels: + taxonomy.miloapis.com/role-category: feature annotations: kubernetes.io/display-name: Notification Contact Admin kubernetes.io/description: Full access to notification contacts diff --git a/config/roles/notification-contact-editor.yaml b/config/roles/notification-contact-editor.yaml index f62c7255..a2bae190 100644 --- a/config/roles/notification-contact-editor.yaml +++ b/config/roles/notification-contact-editor.yaml @@ -2,6 +2,8 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: notification-contact-editor + labels: + taxonomy.miloapis.com/role-category: feature annotations: kubernetes.io/display-name: Notification Contact Editor kubernetes.io/description: Create, update, and delete notification contacts diff --git a/config/roles/notification-contact-group-admin.yaml b/config/roles/notification-contact-group-admin.yaml index 70ff1417..066d4f7f 100644 --- a/config/roles/notification-contact-group-admin.yaml +++ b/config/roles/notification-contact-group-admin.yaml @@ -2,6 +2,8 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: notification-contact-group-admin + labels: + taxonomy.miloapis.com/role-category: feature annotations: kubernetes.io/display-name: Notification Contact Group Admin kubernetes.io/description: Full access to notification contact groups diff --git a/config/roles/notification-contact-group-editor.yaml b/config/roles/notification-contact-group-editor.yaml index 8519fa25..b7849fbf 100644 --- a/config/roles/notification-contact-group-editor.yaml +++ b/config/roles/notification-contact-group-editor.yaml @@ -2,6 +2,8 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: notification-contact-group-editor + labels: + taxonomy.miloapis.com/role-category: feature annotations: kubernetes.io/display-name: Notification Contact Group Editor kubernetes.io/description: Create, update, and delete notification contact groups diff --git a/config/roles/notification-contact-group-membership-admin.yaml b/config/roles/notification-contact-group-membership-admin.yaml index cad30f27..f3acf94a 100644 --- a/config/roles/notification-contact-group-membership-admin.yaml +++ b/config/roles/notification-contact-group-membership-admin.yaml @@ -2,6 +2,8 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: notification-contact-group-membership-admin + labels: + taxonomy.miloapis.com/role-category: feature annotations: kubernetes.io/display-name: Contact Group Membership Admin kubernetes.io/description: Full access to notification contact group memberships diff --git a/config/roles/notification-contact-group-membership-editor.yaml b/config/roles/notification-contact-group-membership-editor.yaml index ff3a6e46..23d085f6 100644 --- a/config/roles/notification-contact-group-membership-editor.yaml +++ b/config/roles/notification-contact-group-membership-editor.yaml @@ -2,6 +2,8 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: notification-contact-group-membership-editor + labels: + taxonomy.miloapis.com/role-category: feature annotations: kubernetes.io/display-name: Contact Group Membership Editor kubernetes.io/description: Create, update, and delete notification contact group memberships diff --git a/config/roles/notification-contact-group-membership-reader.yaml b/config/roles/notification-contact-group-membership-reader.yaml index 4ae3663f..62a9ed89 100644 --- a/config/roles/notification-contact-group-membership-reader.yaml +++ b/config/roles/notification-contact-group-membership-reader.yaml @@ -2,6 +2,8 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: notification-contact-group-membership-reader + labels: + taxonomy.miloapis.com/role-category: feature annotations: kubernetes.io/display-name: Contact Group Membership Viewer kubernetes.io/description: View notification contact group memberships diff --git a/config/roles/notification-contact-group-membership-removal-admin.yaml b/config/roles/notification-contact-group-membership-removal-admin.yaml index 79015361..2094d2a4 100644 --- a/config/roles/notification-contact-group-membership-removal-admin.yaml +++ b/config/roles/notification-contact-group-membership-removal-admin.yaml @@ -2,6 +2,8 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: notification-contact-group-membership-removal-admin + labels: + taxonomy.miloapis.com/role-category: feature annotations: kubernetes.io/display-name: Contact Group Membership Removal Admin kubernetes.io/description: Full access to notification contact group membership removals diff --git a/config/roles/notification-contact-group-membership-removal-editor.yaml b/config/roles/notification-contact-group-membership-removal-editor.yaml index f847fb21..9d9b706f 100644 --- a/config/roles/notification-contact-group-membership-removal-editor.yaml +++ b/config/roles/notification-contact-group-membership-removal-editor.yaml @@ -2,6 +2,8 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: notification-contact-group-membership-removal-editor + labels: + taxonomy.miloapis.com/role-category: feature annotations: kubernetes.io/display-name: Contact Group Membership Removal Editor kubernetes.io/description: Create, update, and delete notification contact group membership removals diff --git a/config/roles/notification-contact-group-membership-removal-reader.yaml b/config/roles/notification-contact-group-membership-removal-reader.yaml index b0caef12..a6c88186 100644 --- a/config/roles/notification-contact-group-membership-removal-reader.yaml +++ b/config/roles/notification-contact-group-membership-removal-reader.yaml @@ -2,6 +2,8 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: notification-contact-group-membership-removal-reader + labels: + taxonomy.miloapis.com/role-category: feature annotations: kubernetes.io/display-name: Contact Group Membership Removal Viewer kubernetes.io/description: View notification contact group membership removals diff --git a/config/roles/notification-contact-group-reader.yaml b/config/roles/notification-contact-group-reader.yaml index 65b52199..6862a05f 100644 --- a/config/roles/notification-contact-group-reader.yaml +++ b/config/roles/notification-contact-group-reader.yaml @@ -2,6 +2,8 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: notification-contact-group-reader + labels: + taxonomy.miloapis.com/role-category: feature annotations: kubernetes.io/display-name: Notification Contact Group Viewer kubernetes.io/description: View notification contact groups diff --git a/config/roles/notification-contact-reader.yaml b/config/roles/notification-contact-reader.yaml index 815df645..22d53669 100644 --- a/config/roles/notification-contact-reader.yaml +++ b/config/roles/notification-contact-reader.yaml @@ -2,6 +2,8 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: notification-contact-reader + labels: + taxonomy.miloapis.com/role-category: feature annotations: kubernetes.io/display-name: Notification Contact Viewer kubernetes.io/description: View notification contacts diff --git a/config/roles/notification-email-admin.yaml b/config/roles/notification-email-admin.yaml index ba43af0b..28817ca1 100644 --- a/config/roles/notification-email-admin.yaml +++ b/config/roles/notification-email-admin.yaml @@ -2,6 +2,8 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: notification-email-admin + labels: + taxonomy.miloapis.com/role-category: feature annotations: kubernetes.io/display-name: Notification Email Admin kubernetes.io/description: Full access to notification emails diff --git a/config/roles/notification-email-broadcast-admin.yaml b/config/roles/notification-email-broadcast-admin.yaml index 7141f924..30251012 100644 --- a/config/roles/notification-email-broadcast-admin.yaml +++ b/config/roles/notification-email-broadcast-admin.yaml @@ -2,6 +2,8 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: notification-email-broadcast-admin + labels: + taxonomy.miloapis.com/role-category: feature annotations: kubernetes.io/display-name: Email Broadcast Admin kubernetes.io/description: Full access to email broadcasts diff --git a/config/roles/notification-email-broadcast-creator.yaml b/config/roles/notification-email-broadcast-creator.yaml index de2733c2..e29fc502 100644 --- a/config/roles/notification-email-broadcast-creator.yaml +++ b/config/roles/notification-email-broadcast-creator.yaml @@ -2,6 +2,8 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: notification-email-broadcast-creator + labels: + taxonomy.miloapis.com/role-category: feature annotations: kubernetes.io/display-name: Email Broadcast Creator kubernetes.io/description: Create and delete email broadcasts diff --git a/config/roles/notification-email-broadcast-reader.yaml b/config/roles/notification-email-broadcast-reader.yaml index 12a5f7d2..f4970086 100644 --- a/config/roles/notification-email-broadcast-reader.yaml +++ b/config/roles/notification-email-broadcast-reader.yaml @@ -2,6 +2,8 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: notification-email-broadcast-reader + labels: + taxonomy.miloapis.com/role-category: feature annotations: kubernetes.io/display-name: Email Broadcast Viewer kubernetes.io/description: View email broadcasts diff --git a/config/roles/notification-email-creator.yaml b/config/roles/notification-email-creator.yaml index 05fc037c..ccc39cbf 100644 --- a/config/roles/notification-email-creator.yaml +++ b/config/roles/notification-email-creator.yaml @@ -2,6 +2,8 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: notification-email-creator + labels: + taxonomy.miloapis.com/role-category: feature annotations: kubernetes.io/display-name: Notification Email Creator kubernetes.io/description: Create notification emails diff --git a/config/roles/notification-email-reader.yaml b/config/roles/notification-email-reader.yaml index 49e737ec..44f750e1 100644 --- a/config/roles/notification-email-reader.yaml +++ b/config/roles/notification-email-reader.yaml @@ -2,6 +2,8 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: notification-email-reader + labels: + taxonomy.miloapis.com/role-category: feature annotations: kubernetes.io/display-name: Notification Email Viewer kubernetes.io/description: View notification emails diff --git a/config/roles/organization-admin.yaml b/config/roles/organization-admin.yaml index e9bf5877..96ba05d5 100644 --- a/config/roles/organization-admin.yaml +++ b/config/roles/organization-admin.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: resourcemanager.miloapis.com-organization-admin + labels: + taxonomy.miloapis.com/role-category: platform annotations: kubernetes.io/display-name: Organization Admin kubernetes.io/description: "Full access to all organization and organization membership resources" + taxonomy.miloapis.com/product: "Organization & Projects" + taxonomy.miloapis.com/sort-order: "10" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/organization-viewer.yaml b/config/roles/organization-viewer.yaml index 3200431f..251ca697 100644 --- a/config/roles/organization-viewer.yaml +++ b/config/roles/organization-viewer.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: resourcemanager.miloapis.com-organization-viewer + labels: + taxonomy.miloapis.com/role-category: platform annotations: kubernetes.io/display-name: Organization Viewer kubernetes.io/description: "View access to all organization and organization membership resources" + taxonomy.miloapis.com/product: "Organization & Projects" + taxonomy.miloapis.com/sort-order: "30" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/organizationmembership-admin.yaml b/config/roles/organizationmembership-admin.yaml index 4342413d..e188dd04 100644 --- a/config/roles/organizationmembership-admin.yaml +++ b/config/roles/organizationmembership-admin.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: organizationmembership-admin + labels: + taxonomy.miloapis.com/role-category: platform annotations: kubernetes.io/display-name: Organization Membership Admin kubernetes.io/description: "Full access to all organization membership resources" + taxonomy.miloapis.com/product: "Organization & Projects" + taxonomy.miloapis.com/sort-order: "10" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/organizationmembership-editor.yaml b/config/roles/organizationmembership-editor.yaml index ab114449..0dee2fab 100644 --- a/config/roles/organizationmembership-editor.yaml +++ b/config/roles/organizationmembership-editor.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: organizationmembership-editor + labels: + taxonomy.miloapis.com/role-category: platform annotations: kubernetes.io/display-name: Organization Membership Editor kubernetes.io/description: "Edit organization membership resources" + taxonomy.miloapis.com/product: "Organization & Projects" + taxonomy.miloapis.com/sort-order: "20" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/organizationmembership-reader.yaml b/config/roles/organizationmembership-reader.yaml index e6e061ab..aff27c3b 100644 --- a/config/roles/organizationmembership-reader.yaml +++ b/config/roles/organizationmembership-reader.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: organizationmembership-reader + labels: + taxonomy.miloapis.com/role-category: platform annotations: kubernetes.io/display-name: Organization Membership Reader kubernetes.io/description: "View organization membership resources" + taxonomy.miloapis.com/product: "Organization & Projects" + taxonomy.miloapis.com/sort-order: "30" spec: launchStage: Beta includedPermissions: diff --git a/config/roles/organizationmembership-self-delete.yaml b/config/roles/organizationmembership-self-delete.yaml index c918769c..c73a7b8b 100644 --- a/config/roles/organizationmembership-self-delete.yaml +++ b/config/roles/organizationmembership-self-delete.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: organizationmembership-self-delete + labels: + taxonomy.miloapis.com/role-category: platform annotations: kubernetes.io/display-name: Organization Membership Self Delete kubernetes.io/description: "Allows a user to delete their own organization membership" + taxonomy.miloapis.com/product: "Organization & Projects" + taxonomy.miloapis.com/sort-order: "40" spec: launchStage: Beta includedPermissions: diff --git a/config/roles/owner.yaml b/config/roles/owner.yaml index 87031dfa..23cfa087 100644 --- a/config/roles/owner.yaml +++ b/config/roles/owner.yaml @@ -2,10 +2,12 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: owner + labels: + taxonomy.miloapis.com/role-category: platform annotations: kubernetes.io/display-name: Owner kubernetes.io/description: Full access to all platform resources including resource management, IAM, and core platform - taxonomy.miloapis.com/product: Organization & Projects + taxonomy.miloapis.com/product: Access Everything taxonomy.miloapis.com/sort-order: "10" spec: launchStage: Beta diff --git a/config/roles/project-admin.yaml b/config/roles/project-admin.yaml index 15b398ec..93dc9e13 100644 --- a/config/roles/project-admin.yaml +++ b/config/roles/project-admin.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: resourcemanager.miloapis.com-project-admin + labels: + taxonomy.miloapis.com/role-category: platform annotations: kubernetes.io/display-name: Project Admin kubernetes.io/description: "Full access to all project resources" + taxonomy.miloapis.com/product: "Organization & Projects" + taxonomy.miloapis.com/sort-order: "10" spec: launchStage: Beta inheritedRoles: diff --git a/config/roles/project-manager.yaml b/config/roles/project-manager.yaml index a937dbc8..de3baa57 100644 --- a/config/roles/project-manager.yaml +++ b/config/roles/project-manager.yaml @@ -2,6 +2,8 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: project-manager + labels: + taxonomy.miloapis.com/role-category: platform annotations: kubernetes.io/display-name: Project Manager kubernetes.io/description: Full access to projects including create, update, and delete diff --git a/config/roles/project-viewer.yaml b/config/roles/project-viewer.yaml index c3caf709..32726c20 100644 --- a/config/roles/project-viewer.yaml +++ b/config/roles/project-viewer.yaml @@ -2,9 +2,13 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: resourcemanager.miloapis.com-project-viewer + labels: + taxonomy.miloapis.com/role-category: platform annotations: kubernetes.io/display-name: Project Viewer kubernetes.io/description: "View access to all project resources" + taxonomy.miloapis.com/product: "Organization & Projects" + taxonomy.miloapis.com/sort-order: "30" spec: launchStage: Beta includedPermissions: diff --git a/config/roles/resourcemanager-admin.yaml b/config/roles/resourcemanager-admin.yaml index c97c5668..413a0dfa 100644 --- a/config/roles/resourcemanager-admin.yaml +++ b/config/roles/resourcemanager-admin.yaml @@ -2,6 +2,8 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: resourcemanager-admin + labels: + taxonomy.miloapis.com/role-category: platform annotations: kubernetes.io/display-name: Resource Manager Admin kubernetes.io/description: Full access to manage organizations and projects diff --git a/config/roles/resourcemanager-editor.yaml b/config/roles/resourcemanager-editor.yaml index f8088afc..49ced040 100644 --- a/config/roles/resourcemanager-editor.yaml +++ b/config/roles/resourcemanager-editor.yaml @@ -2,6 +2,8 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: resourcemanager-editor + labels: + taxonomy.miloapis.com/role-category: platform annotations: kubernetes.io/display-name: Resource Manager Editor kubernetes.io/description: Edit access to organizations and projects diff --git a/config/roles/resourcemanager-reader.yaml b/config/roles/resourcemanager-reader.yaml index 62f7954d..71b707d2 100644 --- a/config/roles/resourcemanager-reader.yaml +++ b/config/roles/resourcemanager-reader.yaml @@ -2,6 +2,8 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: resourcemanager-reader + labels: + taxonomy.miloapis.com/role-category: platform annotations: kubernetes.io/display-name: Resource Manager Viewer kubernetes.io/description: View access to organizations and projects diff --git a/config/services/quota/iam/roles/organization-quota-manager.yaml b/config/services/quota/iam/roles/organization-quota-manager.yaml index f9aef2bc..42135404 100644 --- a/config/services/quota/iam/roles/organization-quota-manager.yaml +++ b/config/services/quota/iam/roles/organization-quota-manager.yaml @@ -6,10 +6,13 @@ metadata: annotations: kubernetes.io/display-name: Organization Quota Manager kubernetes.io/description: View quota usage, grants, and claims across the organization + taxonomy.miloapis.com/product: "Quota" + taxonomy.miloapis.com/sort-order: "20" labels: quota.miloapis.com/role-type: organization-manager quota.miloapis.com/service: quota quota.miloapis.com/scope: organization + taxonomy.miloapis.com/role-category: platform spec: launchStage: Beta includedPermissions: diff --git a/config/services/quota/iam/roles/quota-admin.yaml b/config/services/quota/iam/roles/quota-admin.yaml index aedfe555..e81c2907 100644 --- a/config/services/quota/iam/roles/quota-admin.yaml +++ b/config/services/quota/iam/roles/quota-admin.yaml @@ -11,6 +11,7 @@ metadata: labels: quota.miloapis.com/role-type: admin quota.miloapis.com/service: quota + taxonomy.miloapis.com/role-category: platform spec: launchStage: Beta includedPermissions: diff --git a/config/services/quota/iam/roles/quota-manager.yaml b/config/services/quota/iam/roles/quota-manager.yaml index 626cdef8..8c86318c 100644 --- a/config/services/quota/iam/roles/quota-manager.yaml +++ b/config/services/quota/iam/roles/quota-manager.yaml @@ -11,6 +11,7 @@ metadata: labels: quota.miloapis.com/role-type: manager quota.miloapis.com/service: quota + taxonomy.miloapis.com/role-category: platform spec: launchStage: Beta includedPermissions: diff --git a/config/services/quota/iam/roles/quota-operator.yaml b/config/services/quota/iam/roles/quota-operator.yaml index 7d0cff37..118acc2c 100644 --- a/config/services/quota/iam/roles/quota-operator.yaml +++ b/config/services/quota/iam/roles/quota-operator.yaml @@ -11,6 +11,7 @@ metadata: labels: quota.miloapis.com/role-type: operator quota.miloapis.com/service: quota + taxonomy.miloapis.com/role-category: platform spec: launchStage: Beta includedPermissions: diff --git a/config/services/quota/iam/roles/quota-viewer.yaml b/config/services/quota/iam/roles/quota-viewer.yaml index 0cf26a5c..3e338a88 100644 --- a/config/services/quota/iam/roles/quota-viewer.yaml +++ b/config/services/quota/iam/roles/quota-viewer.yaml @@ -6,9 +6,12 @@ metadata: annotations: kubernetes.io/display-name: Quota Viewer kubernetes.io/description: View access to quota resources including resource registrations, grants, and claims + taxonomy.miloapis.com/product: "Quota" + taxonomy.miloapis.com/sort-order: "40" labels: quota.miloapis.com/role-type: viewer quota.miloapis.com/service: quota + taxonomy.miloapis.com/role-category: platform spec: launchStage: Beta includedPermissions: diff --git a/docs/architecture/identity-and-access-management/role-taxonomy.md b/docs/architecture/identity-and-access-management/role-taxonomy.md new file mode 100644 index 00000000..c8db82e3 --- /dev/null +++ b/docs/architecture/identity-and-access-management/role-taxonomy.md @@ -0,0 +1,74 @@ +# IAM Role Taxonomy + +IAM roles are classified with annotations and labels under the `taxonomy.miloapis.com` prefix to support UI grouping, filtering, and display ordering. + +## Labels + +Labels are used for **filtering and selection** (e.g., `filterByLabel` in the cloud portal). + +### `taxonomy.miloapis.com/role-category` + +Classifies what kind of concern the role governs. + +| Value | Description | Examples | +|---|---|---| +| `platform` | Cross-cutting platform concerns present in every deployment — IAM, resource management, org/project hierarchy, quota, and core primitives. | `iam-admin`, `resourcemanager-admin`, `quota-admin`, `owner` | +| `service` | Infrastructure or data-plane services that teams deploy and operate independently. | `dns-admin`, `network-admin`, `activity-admin`, `search-admin` | +| `feature` | Product capabilities that end-users interact with directly. | `crm-note-admin`, `notification-contact-admin` | + +**Every role file must include this label:** + +```yaml +metadata: + labels: + taxonomy.miloapis.com/role-category: service # platform | service | feature +``` + +## Annotations + +Annotations are used for **display metadata** (grouping headers, sort order, human-readable names). + +### `taxonomy.miloapis.com/product` + +The product group name shown as a header in the UI role picker. + +```yaml +annotations: + taxonomy.miloapis.com/product: "DNS" +``` + +### `taxonomy.miloapis.com/sort-order` + +Controls the ordering of roles within a product group. Use multiples of 10. + +| Sort order | Conventional meaning | +|---|---| +| `"10"` | Admin / full access | +| `"20"` | Editor / manager / operator | +| `"30"` | Viewer / reader | +| `"40"` | Scoped self-service roles | + +```yaml +annotations: + taxonomy.miloapis.com/sort-order: "10" +``` + +## Full example + +```yaml +apiVersion: iam.miloapis.com/v1alpha1 +kind: Role +metadata: + name: dns-admin + labels: + taxonomy.miloapis.com/role-category: service + annotations: + kubernetes.io/display-name: DNS Admin + kubernetes.io/description: Full administrative access to DNS zones and records. + taxonomy.miloapis.com/product: DNS + taxonomy.miloapis.com/sort-order: "10" +spec: + launchStage: Beta + inheritedRoles: + - name: dns-editor +``` From e15d41a3166f15cee1fd35ad9e4c3ccecdab16e8 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Sun, 15 Mar 2026 21:01:13 +0000 Subject: [PATCH 4/6] chore: add missing newlines at end of files MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 🤖 Automatically added newlines to 4 file(s) Co-Authored-By: github-actions[bot] --- config/roles/organizationmembership-admin.yaml | 2 +- config/roles/organizationmembership-editor.yaml | 2 +- config/roles/organizationmembership-reader.yaml | 2 +- config/roles/project-viewer.yaml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/config/roles/organizationmembership-admin.yaml b/config/roles/organizationmembership-admin.yaml index e188dd04..a53147c7 100644 --- a/config/roles/organizationmembership-admin.yaml +++ b/config/roles/organizationmembership-admin.yaml @@ -12,4 +12,4 @@ metadata: spec: launchStage: Beta inheritedRoles: - - name: organizationmembership-editor \ No newline at end of file + - name: organizationmembership-editor diff --git a/config/roles/organizationmembership-editor.yaml b/config/roles/organizationmembership-editor.yaml index 0dee2fab..bc721069 100644 --- a/config/roles/organizationmembership-editor.yaml +++ b/config/roles/organizationmembership-editor.yaml @@ -17,4 +17,4 @@ spec: - resourcemanager.miloapis.com/organizationmemberships.create - resourcemanager.miloapis.com/organizationmemberships.update - resourcemanager.miloapis.com/organizationmemberships.patch - - resourcemanager.miloapis.com/organizationmemberships.delete \ No newline at end of file + - resourcemanager.miloapis.com/organizationmemberships.delete diff --git a/config/roles/organizationmembership-reader.yaml b/config/roles/organizationmembership-reader.yaml index aff27c3b..781f3a14 100644 --- a/config/roles/organizationmembership-reader.yaml +++ b/config/roles/organizationmembership-reader.yaml @@ -14,4 +14,4 @@ spec: includedPermissions: - resourcemanager.miloapis.com/organizationmemberships.get - resourcemanager.miloapis.com/organizationmemberships.list - - resourcemanager.miloapis.com/organizationmemberships.watch \ No newline at end of file + - resourcemanager.miloapis.com/organizationmemberships.watch diff --git a/config/roles/project-viewer.yaml b/config/roles/project-viewer.yaml index 32726c20..b4ac45ff 100644 --- a/config/roles/project-viewer.yaml +++ b/config/roles/project-viewer.yaml @@ -14,4 +14,4 @@ spec: includedPermissions: - resourcemanager.miloapis.com/projects.get - resourcemanager.miloapis.com/projects.list - - resourcemanager.miloapis.com/projects.watch \ No newline at end of file + - resourcemanager.miloapis.com/projects.watch From f5ae5c070d71a5859a49076e15ce4afefa5d6ebf Mon Sep 17 00:00:00 2001 From: Kevin Date: Mon, 30 Mar 2026 10:28:53 -0700 Subject: [PATCH 5/6] =?UTF-8?q?chore:=20address=20taxonomy=20feedback=20?= =?UTF-8?q?=E2=80=94=20reclassify=20roles=20as=20service=20and=20fix=20quo?= =?UTF-8?q?ta=20namespace?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Change role-category from 'platform' to 'service' for all non-owner roles per feedback that 'platform' should be reserved for top-level owner/editor/viewer - Add missing taxonomy labels to new iam-organization-admin/editor/viewer roles - Remove hardcoded 'namespace: milo-system' from quota roles so they deploy to datum-cloud namespace and appear in the portal role selector --- .../organization-creator-role.yaml | 2 +- config/roles/apiextensions-reader.yaml | 2 +- config/roles/core-admin.yaml | 2 +- config/roles/core-editor.yaml | 2 +- config/roles/core-reader.yaml | 2 +- config/roles/iam-admin.yaml | 2 +- config/roles/iam-editor.yaml | 2 +- config/roles/iam-organization-admin.yaml | 4 ++++ config/roles/iam-organization-editor.yaml | 4 ++++ config/roles/iam-organization-viewer.yaml | 4 ++++ .../iam-platform-access-approvals-admin.yaml | 2 +- .../iam-platform-access-approvals-editor.yaml | 2 +- .../iam-platform-access-approvals-reader.yaml | 2 +- .../iam-platform-access-rejections-admin.yaml | 2 +- ...iam-platform-access-rejections-editor.yaml | 2 +- ...iam-platform-access-rejections-reader.yaml | 2 +- .../roles/iam-platform-invitations-admin.yaml | 2 +- .../iam-platform-invitations-editor.yaml | 2 +- .../iam-platform-invitations-reader.yaml | 2 +- config/roles/iam-role-admin.yaml | 2 +- config/roles/iam-role-editor.yaml | 2 +- config/roles/iam-role-reader.yaml | 2 +- .../roles/iam-user-deactivations-admin.yaml | 2 +- .../roles/iam-user-deactivations-editor.yaml | 2 +- .../roles/iam-user-deactivations-reader.yaml | 2 +- config/roles/iam-user-invitations-admin.yaml | 2 +- config/roles/iam-user-invitations-editor.yaml | 2 +- config/roles/iam-user-invitations-reader.yaml | 2 +- .../roles/iam-user-preferences-manager.yaml | 2 +- config/roles/iam-user-self-manage.yaml | 2 +- config/roles/iam-viewer.yaml | 2 +- .../iam.miloapis.com-acceptinvitation.yaml | 2 +- .../roles/iam.miloapis.com-getinvitation.yaml | 2 +- .../roles/identity-user-session-viewer.yaml | 2 +- config/roles/organization-admin.yaml | 2 +- config/roles/organization-viewer.yaml | 2 +- .../roles/organizationmembership-admin.yaml | 2 +- .../roles/organizationmembership-editor.yaml | 2 +- .../roles/organizationmembership-reader.yaml | 2 +- .../organizationmembership-self-delete.yaml | 2 +- config/roles/project-admin.yaml | 2 +- config/roles/project-manager.yaml | 2 +- config/roles/project-viewer.yaml | 2 +- config/roles/resourcemanager-admin.yaml | 2 +- config/roles/resourcemanager-editor.yaml | 2 +- config/roles/resourcemanager-reader.yaml | 2 +- .../iam/roles/organization-quota-manager.yaml | 3 +-- .../services/quota/iam/roles/quota-admin.yaml | 3 +-- .../quota/iam/roles/quota-manager.yaml | 3 +-- .../quota/iam/roles/quota-operator.yaml | 3 +-- .../quota/iam/roles/quota-viewer.yaml | 3 +-- .../apiserver/identity/sessions/dynamic.go | 20 +++++++++++++------ .../identity/useridentities/dynamic.go | 20 +++++++++++++------ 53 files changed, 88 insertions(+), 65 deletions(-) diff --git a/config/optional-policies/organization-creator-policy/organization-creator-role.yaml b/config/optional-policies/organization-creator-policy/organization-creator-role.yaml index e24e1524..5907441e 100644 --- a/config/optional-policies/organization-creator-policy/organization-creator-role.yaml +++ b/config/optional-policies/organization-creator-policy/organization-creator-role.yaml @@ -3,7 +3,7 @@ kind: Role metadata: name: organization-creator labels: - taxonomy.miloapis.com/role-category: platform + taxonomy.miloapis.com/role-category: service namespace: milo-system annotations: kubernetes.io/display-name: Organization Creator diff --git a/config/roles/apiextensions-reader.yaml b/config/roles/apiextensions-reader.yaml index a32663da..6176292b 100644 --- a/config/roles/apiextensions-reader.yaml +++ b/config/roles/apiextensions-reader.yaml @@ -3,7 +3,7 @@ kind: Role metadata: name: apiextensions-reader labels: - taxonomy.miloapis.com/role-category: platform + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: API Extensions Viewer kubernetes.io/description: View access to custom resource definitions diff --git a/config/roles/core-admin.yaml b/config/roles/core-admin.yaml index 97757097..8ee44cb3 100644 --- a/config/roles/core-admin.yaml +++ b/config/roles/core-admin.yaml @@ -3,7 +3,7 @@ kind: Role metadata: name: core-admin labels: - taxonomy.miloapis.com/role-category: platform + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Core Admin kubernetes.io/description: Full access to core platform resources including secrets, configmaps, and namespaces diff --git a/config/roles/core-editor.yaml b/config/roles/core-editor.yaml index 71c2e0cb..b47a0238 100644 --- a/config/roles/core-editor.yaml +++ b/config/roles/core-editor.yaml @@ -3,7 +3,7 @@ kind: Role metadata: name: core-editor labels: - taxonomy.miloapis.com/role-category: platform + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Core Editor kubernetes.io/description: Edit access to core platform resources including secrets, configmaps, and namespaces diff --git a/config/roles/core-reader.yaml b/config/roles/core-reader.yaml index f690a162..2d22e137 100644 --- a/config/roles/core-reader.yaml +++ b/config/roles/core-reader.yaml @@ -3,7 +3,7 @@ kind: Role metadata: name: core-reader labels: - taxonomy.miloapis.com/role-category: platform + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Core Reader kubernetes.io/description: View access to core platform resources including secrets, configmaps, and namespaces diff --git a/config/roles/iam-admin.yaml b/config/roles/iam-admin.yaml index 5e810944..f40869fb 100644 --- a/config/roles/iam-admin.yaml +++ b/config/roles/iam-admin.yaml @@ -3,7 +3,7 @@ kind: Role metadata: name: iam-admin labels: - taxonomy.miloapis.com/role-category: platform + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: IAM Admin kubernetes.io/description: "Full access to all IAM resources" diff --git a/config/roles/iam-editor.yaml b/config/roles/iam-editor.yaml index 2c85a4ae..d269b253 100644 --- a/config/roles/iam-editor.yaml +++ b/config/roles/iam-editor.yaml @@ -3,7 +3,7 @@ kind: Role metadata: name: iam-editor labels: - taxonomy.miloapis.com/role-category: platform + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: IAM Editor kubernetes.io/description: "Edit IAM resources" diff --git a/config/roles/iam-organization-admin.yaml b/config/roles/iam-organization-admin.yaml index 06eea7dc..58b8a4bd 100644 --- a/config/roles/iam-organization-admin.yaml +++ b/config/roles/iam-organization-admin.yaml @@ -2,8 +2,12 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: iam-organization-admin + labels: + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: IAM Organization Admin + taxonomy.miloapis.com/product: "Identity & Access Management" + taxonomy.miloapis.com/sort-order: "10" kubernetes.io/description: "Full access to organization-scoped IAM resources" spec: launchStage: Beta diff --git a/config/roles/iam-organization-editor.yaml b/config/roles/iam-organization-editor.yaml index cc0fc838..cf9fb14b 100644 --- a/config/roles/iam-organization-editor.yaml +++ b/config/roles/iam-organization-editor.yaml @@ -2,8 +2,12 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: iam-organization-editor + labels: + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: IAM Organization Editor + taxonomy.miloapis.com/product: "Identity & Access Management" + taxonomy.miloapis.com/sort-order: "20" kubernetes.io/description: "Edit organization-scoped IAM resources" spec: launchStage: Beta diff --git a/config/roles/iam-organization-viewer.yaml b/config/roles/iam-organization-viewer.yaml index a2aed4e8..ae118589 100644 --- a/config/roles/iam-organization-viewer.yaml +++ b/config/roles/iam-organization-viewer.yaml @@ -2,8 +2,12 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: iam-organization-viewer + labels: + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: IAM Organization Viewer + taxonomy.miloapis.com/product: "Identity & Access Management" + taxonomy.miloapis.com/sort-order: "30" kubernetes.io/description: "View organization-scoped IAM resources" spec: launchStage: Beta diff --git a/config/roles/iam-platform-access-approvals-admin.yaml b/config/roles/iam-platform-access-approvals-admin.yaml index 5f61a7e0..25b87090 100644 --- a/config/roles/iam-platform-access-approvals-admin.yaml +++ b/config/roles/iam-platform-access-approvals-admin.yaml @@ -3,7 +3,7 @@ kind: Role metadata: name: iam-platform-access-approvals-admin labels: - taxonomy.miloapis.com/role-category: platform + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Platform Access Approval Admin kubernetes.io/description: Full access to platform access approvals diff --git a/config/roles/iam-platform-access-approvals-editor.yaml b/config/roles/iam-platform-access-approvals-editor.yaml index ac953e23..2bcd1797 100644 --- a/config/roles/iam-platform-access-approvals-editor.yaml +++ b/config/roles/iam-platform-access-approvals-editor.yaml @@ -3,7 +3,7 @@ kind: Role metadata: name: iam-platform-access-approvals-editor labels: - taxonomy.miloapis.com/role-category: platform + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Platform Access Approval Editor kubernetes.io/description: Create, update, and delete platform access approvals diff --git a/config/roles/iam-platform-access-approvals-reader.yaml b/config/roles/iam-platform-access-approvals-reader.yaml index 14c57d8e..a6622b91 100644 --- a/config/roles/iam-platform-access-approvals-reader.yaml +++ b/config/roles/iam-platform-access-approvals-reader.yaml @@ -3,7 +3,7 @@ kind: Role metadata: name: iam-platform-access-approvals-reader labels: - taxonomy.miloapis.com/role-category: platform + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Platform Access Approval Viewer kubernetes.io/description: View platform access approvals diff --git a/config/roles/iam-platform-access-rejections-admin.yaml b/config/roles/iam-platform-access-rejections-admin.yaml index d89f0166..2d22d73c 100644 --- a/config/roles/iam-platform-access-rejections-admin.yaml +++ b/config/roles/iam-platform-access-rejections-admin.yaml @@ -3,7 +3,7 @@ kind: Role metadata: name: iam-platform-access-rejections-admin labels: - taxonomy.miloapis.com/role-category: platform + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Platform Access Rejection Admin kubernetes.io/description: Full access to platform access rejections diff --git a/config/roles/iam-platform-access-rejections-editor.yaml b/config/roles/iam-platform-access-rejections-editor.yaml index c4a2ffce..b96ac3aa 100644 --- a/config/roles/iam-platform-access-rejections-editor.yaml +++ b/config/roles/iam-platform-access-rejections-editor.yaml @@ -3,7 +3,7 @@ kind: Role metadata: name: iam-platform-access-rejections-editor labels: - taxonomy.miloapis.com/role-category: platform + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Platform Access Rejection Editor kubernetes.io/description: Create, update, and delete platform access rejections diff --git a/config/roles/iam-platform-access-rejections-reader.yaml b/config/roles/iam-platform-access-rejections-reader.yaml index 4741c050..849447ec 100644 --- a/config/roles/iam-platform-access-rejections-reader.yaml +++ b/config/roles/iam-platform-access-rejections-reader.yaml @@ -3,7 +3,7 @@ kind: Role metadata: name: iam-platform-access-rejections-reader labels: - taxonomy.miloapis.com/role-category: platform + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Platform Access Rejection Viewer kubernetes.io/description: View platform access rejections diff --git a/config/roles/iam-platform-invitations-admin.yaml b/config/roles/iam-platform-invitations-admin.yaml index 7e09eee8..2593cc4b 100644 --- a/config/roles/iam-platform-invitations-admin.yaml +++ b/config/roles/iam-platform-invitations-admin.yaml @@ -3,7 +3,7 @@ kind: Role metadata: name: iam-platform-invitations-admin labels: - taxonomy.miloapis.com/role-category: platform + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Platform Invitation Admin kubernetes.io/description: Full access to platform invitations diff --git a/config/roles/iam-platform-invitations-editor.yaml b/config/roles/iam-platform-invitations-editor.yaml index e149c72f..3a6fc5f4 100644 --- a/config/roles/iam-platform-invitations-editor.yaml +++ b/config/roles/iam-platform-invitations-editor.yaml @@ -3,7 +3,7 @@ kind: Role metadata: name: iam-platform-invitations-editor labels: - taxonomy.miloapis.com/role-category: platform + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Platform Invitation Editor kubernetes.io/description: Create, update, and delete platform invitations diff --git a/config/roles/iam-platform-invitations-reader.yaml b/config/roles/iam-platform-invitations-reader.yaml index 42d95414..b273daac 100644 --- a/config/roles/iam-platform-invitations-reader.yaml +++ b/config/roles/iam-platform-invitations-reader.yaml @@ -3,7 +3,7 @@ kind: Role metadata: name: iam-platform-invitations-reader labels: - taxonomy.miloapis.com/role-category: platform + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Platform Invitation Viewer kubernetes.io/description: View platform invitations diff --git a/config/roles/iam-role-admin.yaml b/config/roles/iam-role-admin.yaml index 0d49734a..2f35c517 100644 --- a/config/roles/iam-role-admin.yaml +++ b/config/roles/iam-role-admin.yaml @@ -3,7 +3,7 @@ kind: Role metadata: name: role-admin labels: - taxonomy.miloapis.com/role-category: platform + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Role Admin kubernetes.io/description: Full access to IAM roles diff --git a/config/roles/iam-role-editor.yaml b/config/roles/iam-role-editor.yaml index d2afbbff..523e2110 100644 --- a/config/roles/iam-role-editor.yaml +++ b/config/roles/iam-role-editor.yaml @@ -3,7 +3,7 @@ kind: Role metadata: name: role-editor labels: - taxonomy.miloapis.com/role-category: platform + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Role Editor kubernetes.io/description: Create, update, and delete IAM roles diff --git a/config/roles/iam-role-reader.yaml b/config/roles/iam-role-reader.yaml index 27204cc2..2937e44f 100644 --- a/config/roles/iam-role-reader.yaml +++ b/config/roles/iam-role-reader.yaml @@ -3,7 +3,7 @@ kind: Role metadata: name: role-reader labels: - taxonomy.miloapis.com/role-category: platform + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Role Viewer kubernetes.io/description: View IAM roles diff --git a/config/roles/iam-user-deactivations-admin.yaml b/config/roles/iam-user-deactivations-admin.yaml index e2652a72..3d4ed664 100644 --- a/config/roles/iam-user-deactivations-admin.yaml +++ b/config/roles/iam-user-deactivations-admin.yaml @@ -3,7 +3,7 @@ kind: Role metadata: name: iam-user-deactivations-admin labels: - taxonomy.miloapis.com/role-category: platform + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: User Deactivation Admin kubernetes.io/description: Full access to user deactivations diff --git a/config/roles/iam-user-deactivations-editor.yaml b/config/roles/iam-user-deactivations-editor.yaml index f4fe1f73..261d77d0 100644 --- a/config/roles/iam-user-deactivations-editor.yaml +++ b/config/roles/iam-user-deactivations-editor.yaml @@ -3,7 +3,7 @@ kind: Role metadata: name: iam-user-deactivations-editor labels: - taxonomy.miloapis.com/role-category: platform + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: User Deactivation Editor kubernetes.io/description: Create, update, and delete user deactivations diff --git a/config/roles/iam-user-deactivations-reader.yaml b/config/roles/iam-user-deactivations-reader.yaml index 6af4053d..e4f67db5 100644 --- a/config/roles/iam-user-deactivations-reader.yaml +++ b/config/roles/iam-user-deactivations-reader.yaml @@ -3,7 +3,7 @@ kind: Role metadata: name: iam-user-deactivations-reader labels: - taxonomy.miloapis.com/role-category: platform + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: User Deactivation Viewer kubernetes.io/description: View user deactivations diff --git a/config/roles/iam-user-invitations-admin.yaml b/config/roles/iam-user-invitations-admin.yaml index dba02cb0..3d59406f 100644 --- a/config/roles/iam-user-invitations-admin.yaml +++ b/config/roles/iam-user-invitations-admin.yaml @@ -3,7 +3,7 @@ kind: Role metadata: name: iam-user-invitations-admin labels: - taxonomy.miloapis.com/role-category: platform + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: User Invitation Admin kubernetes.io/description: Full access to user invitations diff --git a/config/roles/iam-user-invitations-editor.yaml b/config/roles/iam-user-invitations-editor.yaml index 2c43b2b6..6840cfe2 100644 --- a/config/roles/iam-user-invitations-editor.yaml +++ b/config/roles/iam-user-invitations-editor.yaml @@ -3,7 +3,7 @@ kind: Role metadata: name: iam-user-invitations-editor labels: - taxonomy.miloapis.com/role-category: platform + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: User Invitation Editor kubernetes.io/description: Create, update, and delete user invitations diff --git a/config/roles/iam-user-invitations-reader.yaml b/config/roles/iam-user-invitations-reader.yaml index dfc4017c..a7c5b447 100644 --- a/config/roles/iam-user-invitations-reader.yaml +++ b/config/roles/iam-user-invitations-reader.yaml @@ -3,7 +3,7 @@ kind: Role metadata: name: iam-user-invitations-reader labels: - taxonomy.miloapis.com/role-category: platform + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: User Invitation Viewer kubernetes.io/description: View user invitations diff --git a/config/roles/iam-user-preferences-manager.yaml b/config/roles/iam-user-preferences-manager.yaml index c906cd51..dac9dce7 100644 --- a/config/roles/iam-user-preferences-manager.yaml +++ b/config/roles/iam-user-preferences-manager.yaml @@ -3,7 +3,7 @@ kind: Role metadata: name: iam-user-preferences-manager labels: - taxonomy.miloapis.com/role-category: platform + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: User Preferences Manager kubernetes.io/description: "Allows users to manage their own user preferences only." diff --git a/config/roles/iam-user-self-manage.yaml b/config/roles/iam-user-self-manage.yaml index a2bea667..836a6ebe 100644 --- a/config/roles/iam-user-self-manage.yaml +++ b/config/roles/iam-user-self-manage.yaml @@ -3,7 +3,7 @@ kind: Role metadata: name: iam-user-self-manage labels: - taxonomy.miloapis.com/role-category: platform + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: User Self Manage kubernetes.io/description: "Allows users to manage their own user account." diff --git a/config/roles/iam-viewer.yaml b/config/roles/iam-viewer.yaml index 596176ed..333ab5bd 100644 --- a/config/roles/iam-viewer.yaml +++ b/config/roles/iam-viewer.yaml @@ -3,7 +3,7 @@ kind: Role metadata: name: iam-viewer labels: - taxonomy.miloapis.com/role-category: platform + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: IAM Viewer kubernetes.io/description: "View IAM resources" diff --git a/config/roles/iam.miloapis.com-acceptinvitation.yaml b/config/roles/iam.miloapis.com-acceptinvitation.yaml index 14a65abf..26328a4c 100644 --- a/config/roles/iam.miloapis.com-acceptinvitation.yaml +++ b/config/roles/iam.miloapis.com-acceptinvitation.yaml @@ -3,7 +3,7 @@ kind: Role metadata: name: iam.miloapis.com-acceptinvitation labels: - taxonomy.miloapis.com/role-category: platform + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Accept Invitation kubernetes.io/description: Accept user invitations to join organizations diff --git a/config/roles/iam.miloapis.com-getinvitation.yaml b/config/roles/iam.miloapis.com-getinvitation.yaml index e0a1a6ac..d9242feb 100644 --- a/config/roles/iam.miloapis.com-getinvitation.yaml +++ b/config/roles/iam.miloapis.com-getinvitation.yaml @@ -3,7 +3,7 @@ kind: Role metadata: name: iam.miloapis.com-getinvitation labels: - taxonomy.miloapis.com/role-category: platform + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Get Invitation kubernetes.io/description: View user invitations diff --git a/config/roles/identity-user-session-viewer.yaml b/config/roles/identity-user-session-viewer.yaml index b44e30f6..223e96df 100644 --- a/config/roles/identity-user-session-viewer.yaml +++ b/config/roles/identity-user-session-viewer.yaml @@ -3,7 +3,7 @@ kind: Role metadata: name: identity-user-session-viewer labels: - taxonomy.miloapis.com/role-category: platform + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Identity User-Session Viewer kubernetes.io/description: "Allows viewing user sessions and user identities." diff --git a/config/roles/organization-admin.yaml b/config/roles/organization-admin.yaml index 96ba05d5..f2695ddb 100644 --- a/config/roles/organization-admin.yaml +++ b/config/roles/organization-admin.yaml @@ -3,7 +3,7 @@ kind: Role metadata: name: resourcemanager.miloapis.com-organization-admin labels: - taxonomy.miloapis.com/role-category: platform + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Organization Admin kubernetes.io/description: "Full access to all organization and organization membership resources" diff --git a/config/roles/organization-viewer.yaml b/config/roles/organization-viewer.yaml index 251ca697..98fffa8a 100644 --- a/config/roles/organization-viewer.yaml +++ b/config/roles/organization-viewer.yaml @@ -3,7 +3,7 @@ kind: Role metadata: name: resourcemanager.miloapis.com-organization-viewer labels: - taxonomy.miloapis.com/role-category: platform + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Organization Viewer kubernetes.io/description: "View access to all organization and organization membership resources" diff --git a/config/roles/organizationmembership-admin.yaml b/config/roles/organizationmembership-admin.yaml index a53147c7..499afc66 100644 --- a/config/roles/organizationmembership-admin.yaml +++ b/config/roles/organizationmembership-admin.yaml @@ -3,7 +3,7 @@ kind: Role metadata: name: organizationmembership-admin labels: - taxonomy.miloapis.com/role-category: platform + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Organization Membership Admin kubernetes.io/description: "Full access to all organization membership resources" diff --git a/config/roles/organizationmembership-editor.yaml b/config/roles/organizationmembership-editor.yaml index bc721069..c39588cd 100644 --- a/config/roles/organizationmembership-editor.yaml +++ b/config/roles/organizationmembership-editor.yaml @@ -3,7 +3,7 @@ kind: Role metadata: name: organizationmembership-editor labels: - taxonomy.miloapis.com/role-category: platform + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Organization Membership Editor kubernetes.io/description: "Edit organization membership resources" diff --git a/config/roles/organizationmembership-reader.yaml b/config/roles/organizationmembership-reader.yaml index 781f3a14..17c770d7 100644 --- a/config/roles/organizationmembership-reader.yaml +++ b/config/roles/organizationmembership-reader.yaml @@ -3,7 +3,7 @@ kind: Role metadata: name: organizationmembership-reader labels: - taxonomy.miloapis.com/role-category: platform + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Organization Membership Reader kubernetes.io/description: "View organization membership resources" diff --git a/config/roles/organizationmembership-self-delete.yaml b/config/roles/organizationmembership-self-delete.yaml index c73a7b8b..574df9cd 100644 --- a/config/roles/organizationmembership-self-delete.yaml +++ b/config/roles/organizationmembership-self-delete.yaml @@ -3,7 +3,7 @@ kind: Role metadata: name: organizationmembership-self-delete labels: - taxonomy.miloapis.com/role-category: platform + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Organization Membership Self Delete kubernetes.io/description: "Allows a user to delete their own organization membership" diff --git a/config/roles/project-admin.yaml b/config/roles/project-admin.yaml index 93dc9e13..56571094 100644 --- a/config/roles/project-admin.yaml +++ b/config/roles/project-admin.yaml @@ -3,7 +3,7 @@ kind: Role metadata: name: resourcemanager.miloapis.com-project-admin labels: - taxonomy.miloapis.com/role-category: platform + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Project Admin kubernetes.io/description: "Full access to all project resources" diff --git a/config/roles/project-manager.yaml b/config/roles/project-manager.yaml index de3baa57..6964180d 100644 --- a/config/roles/project-manager.yaml +++ b/config/roles/project-manager.yaml @@ -3,7 +3,7 @@ kind: Role metadata: name: project-manager labels: - taxonomy.miloapis.com/role-category: platform + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Project Manager kubernetes.io/description: Full access to projects including create, update, and delete diff --git a/config/roles/project-viewer.yaml b/config/roles/project-viewer.yaml index b4ac45ff..4ca5edac 100644 --- a/config/roles/project-viewer.yaml +++ b/config/roles/project-viewer.yaml @@ -3,7 +3,7 @@ kind: Role metadata: name: resourcemanager.miloapis.com-project-viewer labels: - taxonomy.miloapis.com/role-category: platform + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Project Viewer kubernetes.io/description: "View access to all project resources" diff --git a/config/roles/resourcemanager-admin.yaml b/config/roles/resourcemanager-admin.yaml index 413a0dfa..276fe35a 100644 --- a/config/roles/resourcemanager-admin.yaml +++ b/config/roles/resourcemanager-admin.yaml @@ -3,7 +3,7 @@ kind: Role metadata: name: resourcemanager-admin labels: - taxonomy.miloapis.com/role-category: platform + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Resource Manager Admin kubernetes.io/description: Full access to manage organizations and projects diff --git a/config/roles/resourcemanager-editor.yaml b/config/roles/resourcemanager-editor.yaml index 49ced040..3ea6535f 100644 --- a/config/roles/resourcemanager-editor.yaml +++ b/config/roles/resourcemanager-editor.yaml @@ -3,7 +3,7 @@ kind: Role metadata: name: resourcemanager-editor labels: - taxonomy.miloapis.com/role-category: platform + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Resource Manager Editor kubernetes.io/description: Edit access to organizations and projects diff --git a/config/roles/resourcemanager-reader.yaml b/config/roles/resourcemanager-reader.yaml index 71b707d2..372aaa25 100644 --- a/config/roles/resourcemanager-reader.yaml +++ b/config/roles/resourcemanager-reader.yaml @@ -3,7 +3,7 @@ kind: Role metadata: name: resourcemanager-reader labels: - taxonomy.miloapis.com/role-category: platform + taxonomy.miloapis.com/role-category: service annotations: kubernetes.io/display-name: Resource Manager Viewer kubernetes.io/description: View access to organizations and projects diff --git a/config/services/quota/iam/roles/organization-quota-manager.yaml b/config/services/quota/iam/roles/organization-quota-manager.yaml index 42135404..32221b06 100644 --- a/config/services/quota/iam/roles/organization-quota-manager.yaml +++ b/config/services/quota/iam/roles/organization-quota-manager.yaml @@ -2,7 +2,6 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: quota.miloapis.com-organization-quota-manager - namespace: milo-system annotations: kubernetes.io/display-name: Organization Quota Manager kubernetes.io/description: View quota usage, grants, and claims across the organization @@ -12,7 +11,7 @@ metadata: quota.miloapis.com/role-type: organization-manager quota.miloapis.com/service: quota quota.miloapis.com/scope: organization - taxonomy.miloapis.com/role-category: platform + taxonomy.miloapis.com/role-category: service spec: launchStage: Beta includedPermissions: diff --git a/config/services/quota/iam/roles/quota-admin.yaml b/config/services/quota/iam/roles/quota-admin.yaml index e81c2907..e4973473 100644 --- a/config/services/quota/iam/roles/quota-admin.yaml +++ b/config/services/quota/iam/roles/quota-admin.yaml @@ -2,7 +2,6 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: quota.miloapis.com-admin - namespace: milo-system annotations: kubernetes.io/display-name: Quota Admin kubernetes.io/description: Full access to quota resources including resource registrations, grants, claims, allowance buckets, and creation policies @@ -11,7 +10,7 @@ metadata: labels: quota.miloapis.com/role-type: admin quota.miloapis.com/service: quota - taxonomy.miloapis.com/role-category: platform + taxonomy.miloapis.com/role-category: service spec: launchStage: Beta includedPermissions: diff --git a/config/services/quota/iam/roles/quota-manager.yaml b/config/services/quota/iam/roles/quota-manager.yaml index 8c86318c..ffc3d347 100644 --- a/config/services/quota/iam/roles/quota-manager.yaml +++ b/config/services/quota/iam/roles/quota-manager.yaml @@ -2,7 +2,6 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: quota.miloapis.com-manager - namespace: milo-system annotations: kubernetes.io/display-name: Quota Manager kubernetes.io/description: Manage quota grants and claims, with read access to resource registrations and creation policies @@ -11,7 +10,7 @@ metadata: labels: quota.miloapis.com/role-type: manager quota.miloapis.com/service: quota - taxonomy.miloapis.com/role-category: platform + taxonomy.miloapis.com/role-category: service spec: launchStage: Beta includedPermissions: diff --git a/config/services/quota/iam/roles/quota-operator.yaml b/config/services/quota/iam/roles/quota-operator.yaml index 118acc2c..1332ecf3 100644 --- a/config/services/quota/iam/roles/quota-operator.yaml +++ b/config/services/quota/iam/roles/quota-operator.yaml @@ -2,7 +2,6 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: quota.miloapis.com-operator - namespace: milo-system annotations: kubernetes.io/display-name: Quota Operator kubernetes.io/description: Operational access to quota resources for system reconciliation, including full management of allowance buckets @@ -11,7 +10,7 @@ metadata: labels: quota.miloapis.com/role-type: operator quota.miloapis.com/service: quota - taxonomy.miloapis.com/role-category: platform + taxonomy.miloapis.com/role-category: service spec: launchStage: Beta includedPermissions: diff --git a/config/services/quota/iam/roles/quota-viewer.yaml b/config/services/quota/iam/roles/quota-viewer.yaml index 3e338a88..b0e3372b 100644 --- a/config/services/quota/iam/roles/quota-viewer.yaml +++ b/config/services/quota/iam/roles/quota-viewer.yaml @@ -2,7 +2,6 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: name: quota.miloapis.com-viewer - namespace: milo-system annotations: kubernetes.io/display-name: Quota Viewer kubernetes.io/description: View access to quota resources including resource registrations, grants, and claims @@ -11,7 +10,7 @@ metadata: labels: quota.miloapis.com/role-type: viewer quota.miloapis.com/service: quota - taxonomy.miloapis.com/role-category: platform + taxonomy.miloapis.com/role-category: service spec: launchStage: Beta includedPermissions: diff --git a/internal/apiserver/identity/sessions/dynamic.go b/internal/apiserver/identity/sessions/dynamic.go index 93498725..40bbbd2f 100644 --- a/internal/apiserver/identity/sessions/dynamic.go +++ b/internal/apiserver/identity/sessions/dynamic.go @@ -48,6 +48,7 @@ type Config struct { type DynamicProvider struct { base *rest.Config + baseRT http.RoundTripper // shared transport — reuses TCP connections across requests gvr schema.GroupVersionResource to time.Duration retries int @@ -83,10 +84,18 @@ func NewDynamicProvider(cfg Config) (*DynamicProvider, error) { base.Timeout = cfg.Timeout } + // Build the base transport once so the underlying TCP connections and TLS + // sessions are reused across all per-user requests. + baseRT, err := rest.TransportFor(base) + if err != nil { + return nil, fmt.Errorf("building sessions provider transport: %w", err) + } + gvr := identityv1alpha1.SchemeGroupVersion.WithResource("sessions") return &DynamicProvider{ base: base, + baseRT: baseRT, gvr: gvr, to: cfg.Timeout, retries: max(0, cfg.Retries), @@ -95,6 +104,7 @@ func NewDynamicProvider(cfg Config) (*DynamicProvider, error) { } // dynForUser creates a per-call client-go dynamic.Interface that forwards identity via X-Remote-*. +// The underlying HTTP transport is shared across calls so TCP connections are reused. func (b *DynamicProvider) dynForUser(ctx context.Context) (dynamic.Interface, error) { u, ok := apirequest.UserFrom(ctx) if !ok || u == nil { @@ -104,17 +114,15 @@ func (b *DynamicProvider) dynForUser(ctx context.Context) (dynamic.Interface, er if b.to > 0 { cfg.Timeout = b.to } - prev := cfg.WrapTransport - cfg.WrapTransport = func(rt http.RoundTripper) http.RoundTripper { - if prev != nil { - rt = prev(rt) - } + // Wrap the shared base transport with per-user X-Remote-* headers only. + // This avoids building a new TLS transport on every request. + cfg.WrapTransport = func(_ http.RoundTripper) http.RoundTripper { return transport.NewAuthProxyRoundTripper( u.GetName(), u.GetUID(), u.GetGroups(), b.filterExtras(u.GetExtra()), - rt, + b.baseRT, ) } return dynamic.NewForConfig(cfg) diff --git a/internal/apiserver/identity/useridentities/dynamic.go b/internal/apiserver/identity/useridentities/dynamic.go index 36ec6d65..3ed128bf 100644 --- a/internal/apiserver/identity/useridentities/dynamic.go +++ b/internal/apiserver/identity/useridentities/dynamic.go @@ -48,6 +48,7 @@ type Config struct { type DynamicProvider struct { base *rest.Config + baseRT http.RoundTripper // shared transport — reuses TCP connections across requests gvr schema.GroupVersionResource to time.Duration retries int @@ -83,10 +84,18 @@ func NewDynamicProvider(cfg Config) (*DynamicProvider, error) { base.Timeout = cfg.Timeout } + // Build the base transport once so the underlying TCP connections and TLS + // sessions are reused across all per-user requests. + baseRT, err := rest.TransportFor(base) + if err != nil { + return nil, fmt.Errorf("building useridentities provider transport: %w", err) + } + gvr := identityv1alpha1.SchemeGroupVersion.WithResource("useridentities") return &DynamicProvider{ base: base, + baseRT: baseRT, gvr: gvr, to: cfg.Timeout, retries: max(0, cfg.Retries), @@ -95,6 +104,7 @@ func NewDynamicProvider(cfg Config) (*DynamicProvider, error) { } // dynForUser creates a per-call client-go dynamic.Interface that forwards identity via X-Remote-*. +// The underlying HTTP transport is shared across calls so TCP connections are reused. func (b *DynamicProvider) dynForUser(ctx context.Context) (dynamic.Interface, error) { u, ok := apirequest.UserFrom(ctx) if !ok || u == nil { @@ -104,17 +114,15 @@ func (b *DynamicProvider) dynForUser(ctx context.Context) (dynamic.Interface, er if b.to > 0 { cfg.Timeout = b.to } - prev := cfg.WrapTransport - cfg.WrapTransport = func(rt http.RoundTripper) http.RoundTripper { - if prev != nil { - rt = prev(rt) - } + // Wrap the shared base transport with per-user X-Remote-* headers only. + // This avoids building a new TLS transport on every request. + cfg.WrapTransport = func(_ http.RoundTripper) http.RoundTripper { return transport.NewAuthProxyRoundTripper( u.GetName(), u.GetUID(), u.GetGroups(), b.filterExtras(u.GetExtra()), - rt, + b.baseRT, ) } return dynamic.NewForConfig(cfg) From 17f75fd5b0f8f7e1f88bbae42cf128d9fa7da0b7 Mon Sep 17 00:00:00 2001 From: Kevin Date: Mon, 30 Mar 2026 10:31:10 -0700 Subject: [PATCH 6/6] chore: revert quota roles to milo-system namespace --- config/services/quota/iam/roles/organization-quota-manager.yaml | 1 + config/services/quota/iam/roles/quota-admin.yaml | 1 + config/services/quota/iam/roles/quota-manager.yaml | 1 + config/services/quota/iam/roles/quota-operator.yaml | 1 + config/services/quota/iam/roles/quota-viewer.yaml | 1 + 5 files changed, 5 insertions(+) diff --git a/config/services/quota/iam/roles/organization-quota-manager.yaml b/config/services/quota/iam/roles/organization-quota-manager.yaml index 32221b06..f0b790a8 100644 --- a/config/services/quota/iam/roles/organization-quota-manager.yaml +++ b/config/services/quota/iam/roles/organization-quota-manager.yaml @@ -1,6 +1,7 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: + namespace: milo-system name: quota.miloapis.com-organization-quota-manager annotations: kubernetes.io/display-name: Organization Quota Manager diff --git a/config/services/quota/iam/roles/quota-admin.yaml b/config/services/quota/iam/roles/quota-admin.yaml index e4973473..a18ca3cb 100644 --- a/config/services/quota/iam/roles/quota-admin.yaml +++ b/config/services/quota/iam/roles/quota-admin.yaml @@ -1,6 +1,7 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: + namespace: milo-system name: quota.miloapis.com-admin annotations: kubernetes.io/display-name: Quota Admin diff --git a/config/services/quota/iam/roles/quota-manager.yaml b/config/services/quota/iam/roles/quota-manager.yaml index ffc3d347..cd96792d 100644 --- a/config/services/quota/iam/roles/quota-manager.yaml +++ b/config/services/quota/iam/roles/quota-manager.yaml @@ -1,6 +1,7 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: + namespace: milo-system name: quota.miloapis.com-manager annotations: kubernetes.io/display-name: Quota Manager diff --git a/config/services/quota/iam/roles/quota-operator.yaml b/config/services/quota/iam/roles/quota-operator.yaml index 1332ecf3..ecf52789 100644 --- a/config/services/quota/iam/roles/quota-operator.yaml +++ b/config/services/quota/iam/roles/quota-operator.yaml @@ -1,6 +1,7 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: + namespace: milo-system name: quota.miloapis.com-operator annotations: kubernetes.io/display-name: Quota Operator diff --git a/config/services/quota/iam/roles/quota-viewer.yaml b/config/services/quota/iam/roles/quota-viewer.yaml index b0e3372b..89339a3d 100644 --- a/config/services/quota/iam/roles/quota-viewer.yaml +++ b/config/services/quota/iam/roles/quota-viewer.yaml @@ -1,6 +1,7 @@ apiVersion: iam.miloapis.com/v1alpha1 kind: Role metadata: + namespace: milo-system name: quota.miloapis.com-viewer annotations: kubernetes.io/display-name: Quota Viewer