[Feature Request] Expiring and Postponed RBACDefinitions

[terrykong]

Hi team,

This is a really awesome tool and it's helped us reduce a lot of repeated binding specs.

I was wondering if it would be possible to add a way to specify for how long a RBACDefinition is valid for, and additionally, a "start date" to specify when the RBACDefinition will become valid. For example, it would be nice if we could do the following (extending the example on the README):

apiVersion: rbacmanager.reactiveops.io/v1beta1
kind: RBACDefinition
metadata:
  name: dev-access
rbacBindings:
  - name: dev-team
    subjects:
      - kind: Group
        name: dev-team
    roleBindings:
      - clusterRole: edit
        namespaceSelector:
          matchLabels:
            team: dev
    # If startTime is omitted, then it is valid immediately
    startTime: "2020-09-15T00:17:10Z"
    # If endTime is omitted, then it is valid indefinitely
    endTime: "2021-09-15T00:17:10Z"

Some use cases I had in mind were:

1. Sometimes I want to give temporary access, and for that I could use some kind of endTime field
2. Perhaps I have a new employee that I know will need permissions at some point, I could specify a startTime so that I could apply the RBACDefinition now, but it's effect won't take place until later. Another example here is: I have an intern for which I know the exact time they start and end, so I could set up their roles to have a start and expiry date.

[sudermanjr]

This would be a really cool feature. I feel like it might be a significant change, but a very very cool feature.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.