You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
|`resource.resourceType`<br/>[(dual-scoped)](#resource-identifiers-dual-scoped)| string |`resource:create`, `resource:update`, `resource:delete`| ResourceType (or ClusterResourceType) referenced by the resource. |
51
+
|`resource.workflow`<br/>[(dual-scoped)](#resource-identifiers-dual-scoped)| string |`workflowrun:create`, `workflowrun:update`, `workflowrun:delete`| Workflow (or ClusterWorkflow) referenced by the workflow run. |
49
52
50
53
When a condition lists multiple actions — whether explicitly (`["releasebinding:create", "logs:view"]`) or via a wildcard pattern (`releasebinding:*`) — the expression may only reference attributes registered for **every** action the entry covers. An attribute supported by only some of those actions is not usable in the condition.
51
54
52
55
### Resource Identifiers (Dual-Scoped)
53
56
54
-
Some resource kinds in OpenChoreo come in two variants — one namespace-scoped, one cluster-scoped. In conditions, both variants share a single logical name (such as `environment`). Conditions don't pick the variant by kind; they pick it by the **shape of the identifier**.
57
+
Some resource kinds in OpenChoreo come in two variants — one namespace-scoped, one cluster-scoped (for example, `ComponentType` and `ClusterComponentType`). In conditions, both variants share a single logical attribute — `environment`, `componentType`, `resourceType`, or `workflow`. Conditions don't pick the variant by kind; they pick it by the **shape of the identifier**.
55
58
56
-
Attributes that identify such a resource (such as `resource.environment`) carry one of two forms:
59
+
These dual-scoped attributes carry one of two forms:
57
60
58
61
- For the namespace-scoped variant: `{namespace}/{name}` — for example, `acme/prod`.
59
62
- For the cluster-scoped variant: just `{name}` — for example, `prod`.
60
63
61
-
Match the same form in your CEL expression: `resource.environment == "acme/prod"` targets a namespace-scoped environment named `prod` in `acme`, while `resource.environment == "prod"` targets the cluster-scoped one.
64
+
Match the same form in your CEL expression: `resource.environment == "acme/prod"` targets a namespace-scoped environment named `prod` in `acme`, while `resource.environment == "prod"` targets the cluster-scoped one. The same rule applies to `resource.componentType`, `resource.resourceType`, and `resource.workflow`.
65
+
66
+
Which form applies depends on the reference's `kind` in the resource being acted upon. Match the form the resource actually resolves to. When `kind` is omitted, it follows the CRD field's default.
62
67
63
68
For resources that exist in only one scope, the resource identifiers simply carry the resource name.
64
69
@@ -95,7 +100,7 @@ This binding permits the `releasebinding:view` actions when the target environme
95
100
96
101
## Examples
97
102
98
-
A platform engineer needs to give the `backend-team` group `developer` access — but with two safety rails: release-binding mutations must stay out of production, and log access should be limited to `dev` and `staging`. A single role mapping can carry both rules, one condition per action group:
103
+
A platform engineer needs to give the `backend-team` group `developer` access — but with three safety rails: release-binding mutations must stay out of production, log access should be limited to `dev` and `staging`, and the team should only be able to create `service` and `cronjob` components. A single role mapping can carry all three rules, one condition per action group:
99
104
100
105
```yaml
101
106
apiVersion: openchoreo.dev/v1alpha1
@@ -120,10 +125,13 @@ spec:
120
125
- actions:
121
126
- logs:view
122
127
expression: 'resource.environment in ["acme/dev", "acme/staging"]'
128
+
- actions:
129
+
- component:create
130
+
expression: 'resource.componentType in ["service", "cronjob"]'
123
131
effect: allow
124
132
```
125
133
126
-
Read-only actions on `releasebinding` (e.g., `releasebinding:view`) and every other action in the `developer` role remain unrestricted — only the listed actions are gated.
134
+
Read-only actions on `releasebinding` (e.g., `releasebinding:view`) and every other action in the `developer` role remain unrestricted — only the listed actions are gated. A `component:create` for any type other than the namespace-scoped `service` or `cronjob` (`acme/service`, `acme/cronjob`) fails its condition and is denied.
0 commit comments