community
community copied to clipboard
aws-controllers-k8s
IAM controller - rename role
The IAM controller implements the Role kind in iam.services.k8s.aws API group.
The issue is that the short name for the object is 'role' and it is overridden by Role from rbac.authorization.k8s.io from standard Kubernetes API. It effectively means that I can't get the Roles from iam.services.k8s.aws API group as when I am requesting kubectl get roles -A I will get only classic k8s roles, not the ack iam one's.
What would I like to ask - rename Role served by IAM controller to something different like IAMRole to make available them via kubectl get request.
Probably the same could apply to different Kinds served by other ACK controllers, but it was the most obvious example.
Hi @gecube thanks for the issue! The ACK controllers keep a one-to-one mapping for the API Group name to the CustomResourceDefinition (CRD) name. The issue you describe isn't unique to ACK or CRD's, since the KIND of GROUP.VERSION.KIND of CRD's can overlap. If you do kubectl get crd you should see existing overlap of some resources.
If you want to search for ACK resources, you should query with the group and kind for example:
kubectl get roles.iam.services.k8s.aws -A
Hope all this helps.
@acornett21 Hi! Thanks for shedding the light on it. What is misleading is that I see the same "roles" kind in the output:
kubectl api-resources | grep roles
roles iam.services.k8s.aws/v1alpha1 true Role
clusterroles rbac.authorization.k8s.io/v1 false ClusterRole
roles rbac.authorization.k8s.io/v1 true Role
teleportroles resources.teleport.dev/v6 true TeleportRole
I understand that there is no uniqueness requirement between different API groups. The very same is happening with "clusters":
kubectl api-resources | grep clusters
clusters eks.services.k8s.aws/v1alpha1 true Cluster
clusters kafka.services.k8s.aws/v1alpha1 true Cluster
clusters memorydb.services.k8s.aws/v1alpha1 true Cluster
dbclusters rds.services.k8s.aws/v1alpha1 true DBCluster
globalclusters rds.services.k8s.aws/v1alpha1 true GlobalCluster
I will be really very happy if I could get all ack-related resources by short name and not by specifying the whole name <kind>.<group>
I could get all ack-related resources by short name and not by specifying the whole name
I don't think this will be possible, for two reasons:
- A good amount of the controllers are GA, and a change now would break existing users.
- As mentioned earlier, ACK maintains a one-to-one name with as the AWS API provides.
I'll let others chime in on their thoughts. @a-hilaly @RedbackThomson Any thoughts from you all?
The code-generator supports injecting shortnames for specific CRDs like https://github.com/aws-controllers-k8s/prometheusservice-controller/blob/2e3371210de55ac0e1bc011665579df77c0fcfff/generator.yaml#L27-L28. (which still keeps the original name but adds more aliases)
But I agree that, it is not really possible to do anything with duplicated CRD names/kinds. @gecube what do you suggest as shortnames for the roles/cluster names for example?
@a-hilaly Hi! Thanks for reaching me. I think that all shortname must be as unique as possible and as self-descriptive as possible.
For example.
eks.services.k8s.aws/v1alpha1 clusters -> EKSCluster, short name eksclusters
iam.services.k8s.aws/v1alpha1 roles -> IAMRole, short name iamroles
memorydb.services.k8s.aws/v1alpha1 clusters -> MemoryDBCluster, short name memorydbclusters
At least, I think it is not late to do it, because otherwise we will stick to the original ones...
Issues go stale after 180d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 60d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/aws-controllers-k8s/community.
/lifecycle stale
