From ef988ea015d6f0ca09346d886e5ef26807df7f51 Mon Sep 17 00:00:00 2001 From: Jose Szychowski Date: Wed, 1 Apr 2026 11:30:11 -0300 Subject: [PATCH 1/4] feat: add MachineAccount support to PolicyBinding subjects with mandatory namespace validation --- .../crd/bases/iam/iam.miloapis.com_policybindings.yaml | 10 +++++++--- pkg/apis/iam/v1alpha1/policybinding_types.go | 9 +++++---- 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/config/crd/bases/iam/iam.miloapis.com_policybindings.yaml b/config/crd/bases/iam/iam.miloapis.com_policybindings.yaml index f38a42c6..b401cf8e 100644 --- a/config/crd/bases/iam/iam.miloapis.com_policybindings.yaml +++ b/config/crd/bases/iam/iam.miloapis.com_policybindings.yaml @@ -140,7 +140,7 @@ spec: items: description: |- Subject contains a reference to the object or user identities a role binding applies to. - This can be a User or Group. + This can be a User, Group, or MachineAccount. properties: kind: description: Kind of object being referenced. Values defined @@ -148,6 +148,7 @@ spec: enum: - User - Group + - MachineAccount type: string name: description: |- @@ -157,8 +158,8 @@ spec: type: string namespace: description: |- - Namespace of the referenced object. If DNE, then for an SA it refers to the PolicyBinding resource's namespace. - For a User or Group, it is ignored. + Namespace of the referenced object. Required for MachineAccount subjects. + If not specified for a Group or User, it is ignored. type: string uid: description: UID of the referenced object. Optional for system @@ -173,6 +174,9 @@ spec: (groups with names starting with 'system:') rule: (self.kind == 'Group' && has(self.name) && self.name.startsWith('system:')) || (has(self.uid) && size(self.uid) > 0) + - message: Namespace is required for MachineAccount subjects + rule: self.kind != 'MachineAccount' || (has(self.namespace) && + size(self.namespace) > 0) minItems: 1 type: array required: diff --git a/pkg/apis/iam/v1alpha1/policybinding_types.go b/pkg/apis/iam/v1alpha1/policybinding_types.go index 3a1f36f2..c7601341 100644 --- a/pkg/apis/iam/v1alpha1/policybinding_types.go +++ b/pkg/apis/iam/v1alpha1/policybinding_types.go @@ -16,21 +16,22 @@ type RoleReference struct { } // Subject contains a reference to the object or user identities a role binding applies to. -// This can be a User or Group. +// This can be a User, Group, or MachineAccount. // +k8s:deepcopy-gen=true // +kubebuilder:validation:XValidation:rule="(self.kind == 'Group' && has(self.name) && self.name.startsWith('system:')) || (has(self.uid) && size(self.uid) > 0)",message="UID is required for all subjects except system groups (groups with names starting with 'system:')" +// +kubebuilder:validation:XValidation:rule="self.kind != 'MachineAccount' || (has(self.namespace) && size(self.namespace) > 0)",message="Namespace is required for MachineAccount subjects" type Subject struct { // Kind of object being referenced. Values defined in Kind constants. // +kubebuilder:validation:Required - // +kubebuilder:validation:Enum=User;Group + // +kubebuilder:validation:Enum=User;Group;MachineAccount Kind string `json:"kind"` // Name of the object being referenced. A special group name of // "system:authenticated-users" can be used to refer to all authenticated // users. // +kubebuilder:validation:Required Name string `json:"name"` - // Namespace of the referenced object. If DNE, then for an SA it refers to the PolicyBinding resource's namespace. - // For a User or Group, it is ignored. + // Namespace of the referenced object. Required for MachineAccount subjects. + // If not specified for a Group or User, it is ignored. // +kubebuilder:validation:Optional Namespace string `json:"namespace,omitempty"` // UID of the referenced object. Optional for system groups (groups with names starting with "system:"). From e3f68d0385060a659bf4f32839a9ebd6a0bdae3a Mon Sep 17 00:00:00 2001 From: Jose Szychowski Date: Thu, 2 Apr 2026 09:32:45 -0300 Subject: [PATCH 2/4] chore: generate documentation --- docs/api/iam.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/api/iam.md b/docs/api/iam.md index 1ee17986..73bc56f7 100644 --- a/docs/api/iam.md +++ b/docs/api/iam.md @@ -2055,7 +2055,7 @@ This can be a reference to a Role custom resource. Subject contains a reference to the object or user identities a role binding applies to. -This can be a User or Group. +This can be a User, Group, or MachineAccount. @@ -2072,7 +2072,7 @@ This can be a User or Group. @@ -2088,8 +2088,8 @@ users.
From a1f0c7189efa761cf72bf565d9d8ae27a09143fc Mon Sep 17 00:00:00 2001 From: Jose Szychowski Date: Thu, 2 Apr 2026 11:48:42 -0300 Subject: [PATCH 3/4] feat: make namespace optional for MachineAccount subjects in PolicyBinding CRD and documentation --- config/crd/bases/iam/iam.miloapis.com_policybindings.yaml | 7 ++----- docs/api/iam.md | 4 ++-- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/config/crd/bases/iam/iam.miloapis.com_policybindings.yaml b/config/crd/bases/iam/iam.miloapis.com_policybindings.yaml index b401cf8e..d78df96b 100644 --- a/config/crd/bases/iam/iam.miloapis.com_policybindings.yaml +++ b/config/crd/bases/iam/iam.miloapis.com_policybindings.yaml @@ -158,8 +158,8 @@ spec: type: string namespace: description: |- - Namespace of the referenced object. Required for MachineAccount subjects. - If not specified for a Group or User, it is ignored. + Namespace of the referenced object. + If not specified for a Group, User or MachineAccount, it is ignored. type: string uid: description: UID of the referenced object. Optional for system @@ -174,9 +174,6 @@ spec: (groups with names starting with 'system:') rule: (self.kind == 'Group' && has(self.name) && self.name.startsWith('system:')) || (has(self.uid) && size(self.uid) > 0) - - message: Namespace is required for MachineAccount subjects - rule: self.kind != 'MachineAccount' || (has(self.namespace) && - size(self.namespace) > 0) minItems: 1 type: array required: diff --git a/docs/api/iam.md b/docs/api/iam.md index 73bc56f7..ad793402 100644 --- a/docs/api/iam.md +++ b/docs/api/iam.md @@ -2088,8 +2088,8 @@ users.
 From f858aed542259acd67b3ffbb084d6680eb72463b Mon Sep 17 00:00:00 2001 From: Jose Szychowski Date: Thu, 2 Apr 2026 11:51:13 -0300 Subject: [PATCH 4/4] fix: update policybinding type --- pkg/apis/iam/v1alpha1/policybinding_types.go | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/pkg/apis/iam/v1alpha1/policybinding_types.go b/pkg/apis/iam/v1alpha1/policybinding_types.go index c7601341..cfca9ee7 100644 --- a/pkg/apis/iam/v1alpha1/policybinding_types.go +++ b/pkg/apis/iam/v1alpha1/policybinding_types.go @@ -19,7 +19,6 @@ type RoleReference struct { // This can be a User, Group, or MachineAccount. // +k8s:deepcopy-gen=true // +kubebuilder:validation:XValidation:rule="(self.kind == 'Group' && has(self.name) && self.name.startsWith('system:')) || (has(self.uid) && size(self.uid) > 0)",message="UID is required for all subjects except system groups (groups with names starting with 'system:')" -// +kubebuilder:validation:XValidation:rule="self.kind != 'MachineAccount' || (has(self.namespace) && size(self.namespace) > 0)",message="Namespace is required for MachineAccount subjects" type Subject struct { // Kind of object being referenced. Values defined in Kind constants. // +kubebuilder:validation:Required @@ -30,8 +29,8 @@ type Subject struct { // users. // +kubebuilder:validation:Required Name string `json:"name"` - // Namespace of the referenced object. Required for MachineAccount subjects. - // If not specified for a Group or User, it is ignored. + // Namespace of the referenced object. + // If not specified for a Group, User or MachineAccount, it is ignored. // +kubebuilder:validation:Optional Namespace string `json:"namespace,omitempty"` // UID of the referenced object. Optional for system groups (groups with names starting with "system:").
Kind of object being referenced. Values defined in Kind constants.

- Enum: User, Group
+ Enum: User, Group, MachineAccount
 true
namespace string - Namespace of the referenced object. If DNE, then for an SA it refers to the PolicyBinding resource's namespace. -For a User or Group, it is ignored.
+ Namespace of the referenced object. Required for MachineAccount subjects. +If not specified for a Group or User, it is ignored.
 false
namespace string - Namespace of the referenced object. Required for MachineAccount subjects. -If not specified for a Group or User, it is ignored.
+ Namespace of the referenced object. +If not specified for a Group, User or MachineAccount, it is ignored.
 false