Rename clusterroles/clusterrolebindings.

[GrahamDumpleton]

Is your feature request related to a problem? Please describe.

In Kubernetes there has been a move to use an app or system prefix followed by colon for cluster role and cluster role binding names.

Describe the solution you'd like

Move to using an educates: prefix where this makes sense.

Currently we have:

clusterrole.rbac.authorization.k8s.io/educates-admin-session-role
clusterrole.rbac.authorization.k8s.io/educates-edit-session-role
clusterrole.rbac.authorization.k8s.io/educates-lookup-service
clusterrole.rbac.authorization.k8s.io/educates-remote-access
clusterrole.rbac.authorization.k8s.io/educates-secrets-manager
clusterrole.rbac.authorization.k8s.io/educates-training-portal
clusterrole.rbac.authorization.k8s.io/educates-tunnel-manager
clusterrole.rbac.authorization.k8s.io/educates-view-session-role
clusterrole.rbac.authorization.k8s.io/educates-web-console-lab-k8s-fundamentals-w01

So perhaps change to:

# Roles for specific services.

educates:lookup-service
educates:remote-access
educates:secrets-manager
educates:training-portal
educates:tunnel-manager

# Roles applied to service accounts for workshop sessions.

educates:session:admin
educates:session:edit
educates:session:view

# Roles applied to service account related to Kubernetes console.

educates:environment:console:lab-k8s-fundamentals-w01

Also have cluster roles like:

# RBAC for lookup service CRDs.

educates:rbac:admin:lookup
educates:rbac:view:lookup

# RBAC for secrets-manager CRDs.

educates:rbac:admin:secrets
educates:rbac:view:secrets

# RBAD for session-manager CRDs.

educates:rbac:admin:training
educates:rbac:view:training

The latter would provide RBAC for users or other apps to use to access Educates custom resources. Others above would be regarded as internal use.

Using inspiration from Kyverno here.

clusterrole.rbac.authorization.k8s.io/kyverno:admission-controller
clusterrole.rbac.authorization.k8s.io/kyverno:admission-controller:core
clusterrole.rbac.authorization.k8s.io/kyverno:background-controller
clusterrole.rbac.authorization.k8s.io/kyverno:background-controller:core
clusterrole.rbac.authorization.k8s.io/kyverno:cleanup-controller
clusterrole.rbac.authorization.k8s.io/kyverno:cleanup-controller:core
clusterrole.rbac.authorization.k8s.io/kyverno:rbac:admin:policies
clusterrole.rbac.authorization.k8s.io/kyverno:rbac:admin:policyreports
clusterrole.rbac.authorization.k8s.io/kyverno:rbac:admin:reports
clusterrole.rbac.authorization.k8s.io/kyverno:rbac:admin:updaterequests
clusterrole.rbac.authorization.k8s.io/kyverno:rbac:view:policies
clusterrole.rbac.authorization.k8s.io/kyverno:rbac:view:policyreports
clusterrole.rbac.authorization.k8s.io/kyverno:rbac:view:reports
clusterrole.rbac.authorization.k8s.io/kyverno:rbac:view:updaterequests
clusterrole.rbac.authorization.k8s.io/kyverno:reports-controller
clusterrole.rbac.authorization.k8s.io/kyverno:reports-controller:core

Also look at clusterrolebinding names in same way if makes sense.

Describe alternatives you've considered

No response

Additional information

No response

[GrahamDumpleton]

FWIW, Kyverno explains the naming convention it uses in:

• https://kyverno.io/docs/installation/customization/

Not all relevant but can provide ideas of good practice.

[GrahamDumpleton]

Have to how aggregated cluster roles are relevant to us.

• https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles