{"id":18510686,"url":"https://github.com/operator-framework/oria-operator","last_synced_at":"2025-04-09T04:33:19.528Z","repository":{"id":50021398,"uuid":"518240056","full_name":"operator-framework/oria-operator","owner":"operator-framework","description":null,"archived":true,"fork":false,"pushed_at":"2024-12-12T15:00:38.000Z","size":49982,"stargazers_count":5,"open_issues_count":9,"forks_count":10,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-03-25T05:03:10.415Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/operator-framework.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2022-07-26T22:56:36.000Z","updated_at":"2024-12-12T15:01:17.000Z","dependencies_parsed_at":"2023-01-20T10:02:08.809Z","dependency_job_id":null,"html_url":"https://github.com/operator-framework/oria-operator","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/operator-framework%2Foria-operator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/operator-framework%2Foria-operator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/operator-framework%2Foria-operator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/operator-framework%2Foria-operator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/operator-framework","download_url":"https://codeload.github.com/operator-framework/oria-operator/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247980833,"owners_count":21027803,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-06T15:24:26.236Z","updated_at":"2025-04-09T04:33:19.495Z","avatar_url":"https://github.com/operator-framework.png","language":"Go","readme":"## ⚠️ Deprecation Notice\n\n\u003e This project is **deprecated** and is no longer actively maintained. \n\n# oria-operator\n\n## Summary\n\nThe Oria Operator provides tooling that allows cluster admins and operator authors to control which namespaces an operator reconciles resource events in.\n\nThe `oria-operator` will introduce two cluster scoped CRDs, the `ScopeTemplate` and `ScopeInstance`.\n\n### ScopeTemplate CRD\n\nThe `ScopeTemplate` CRD is used to define the RBAC needed by an operator. It basically allows one to define:\n\n- A `ClusterRole`\n\nAn example of a `ScopeTemplate` CR can be seen below:\n\n```\napiVersion: operators.io.operator-framework/v1\nkind: ScopeTemplate\nmetadata:\n  name: scopetemplate-sample\nspec:\n  clusterRoles:\n  - generateName: test\n    rules:\n    - apiGroups: [\"\"]\n      # at the HTTP level, the name of the resource for accessing Secret\n      # objects is \"secrets\"\n      resources: [\"secrets\"]\n      verbs: [\"get\", \"watch\", \"list\"]\n    subjects:\n    - kind: Group\n      name: manager  # Name is case sensitive\n      apiGroup: rbac.authorization.k8s.io\n```\n\nThe reconciliation process will verify the below steps:\n1. It will check if any `ScopeInstance` CRs reference to `ScopeTemplate` name or not.\n2. If it is referencing then the `ClusterRole` defined in the `ScopeTemplate` will be created if it does not exist. The created `ClusterRole` will include an owner reference to the `ScopeTemplate` CR.\n3. If no `ScopeInstance` references the `ScopeTemplate`, the `ClusterRole` defined in the `ScopeTemplate` will be deleted if it exists.\n\n\n### ScopeInstance CRD\n\nThe `ScopeInstance` CRD is used to define a list of `namespaces` that the RBAC in a `ScopeTemplate` will be created in. A cluster admin will create the `ScopeInstance` CR and will specify:\n\n- The name of a `ScopeTemplate` which defines the RBAC required by the operator\n- A set of namespaces that the operator should be scoped to. An empty set of namespaces is equivalent to specifying all namespaces.\n\n```\napiVersion: operators.io.operator-framework/v1\nkind: ScopeInstance\nmetadata:\n  name: scopeinstance-sample\nspec:\n  scopeTemplateName: scopetemplate-sample\n  namespaces:\n  - default\n```\n\nThe reconciliation process will verify the below steps:\n\n1. It will look for `ScopeTemplate` that `ScopeInstance` is referencing. if it is not referencing then throw an error with the appropriate message.\n2. If it is referencing and if the `namespaces` array is empty, a single `ClusterRoleBinding` will be created. Otherwise, a `RoleBinding` will be created in each of the `namespaces`. These resources will include an owner reference to the `ScopeInstance` CR.\n\n## Installation\nTo install the latest release of `oria-operator`, run:\n```\nkubectl apply -f https://github.com/operator-framework/oria-operator/releases/latest/download/oria-operator.yaml\n```\n\nTo install a specific release of `oria-operator`, run: \n```\nORIA_VERSION=vX.Y.Z; kubectl apply -f https://github.com/operator-framework/oria-operator/releases/download/$ORIA_VERSION/oria-operator.yaml\n```\n\n## Run the Operator Locally\n\n### 1. Run locally outside the cluster \n\nFirst, install newly created `ScopeInstance` and `ScopeTemplate` CRs\n\n```\nmake install\n```\n\nIt will create CRDs and log the below message\n\n```\ncustomresourcedefinition.apiextensions.k8s.io/scopeinstances.operators.io.operator-framework created\ncustomresourcedefinition.apiextensions.k8s.io/scopetemplates.operators.io.operator-framework created\n```\n\nThen, run the `oria-operator` with below command and apply `ScopeInstance` and `ScopeTemplate` CRDs\n\n```\nmake run\n```\n\nApply `ScopeTemplate` CRD as below. This will create a `ScopeTemplate` with the name `scopetemplate-sample`.\n\n```\n$ kubectl apply -f config/samples/operators_v1_scopetemplate.yaml\nscopetemplate.operators.io.operator-framework/scopetemplate-sample created\n```\n\nNow, create `ScopeInstance` CRD as below. This will create a `ScopeInstance` with the name `scopeinstance-sample` that references the `ScopeTemplate` created in the previous step.\n\n```\n$ kubectl apply -f config/samples/operators_v1_scopeinstance.yaml\nscopeinstance.operators.io.operator-framework/scopeinstance-sample created\n```\n\nOnce `scopeinstance-sample` is created, it will trigger the reconciliation process of `ScopeTemplate` and `ScopeInstance` controllers.\n\n`ScopeInstance` reconciliation process will create `(Cluster)RoleBinding` as defined in CR.\n\n```\n$ kubectl get clusterroles\nNAME   CREATED AT\ntest   2022-09-20T18:39:32Z\n```\n\n`ScopeInstance` reconciliation process will create `(Cluster)RoleBinding`s as defined in CRD.\n\n```\n$ kubectl get rolebindings --all-namespaces\nNAMESPACE   NAME         ROLE               AGE\ndefault     test-x8hdc   ClusterRole/test   33m\n```\n\nNow, let's update the `ScopeInstance` with a new namespace. Create the `test` namespace with:\n\n```\n$ kubectl create namespace test\nnamespace/test created\n```\n\nUpdate the `ScopeInstance` to look similar to:\n\n```\napiVersion: operators.io.operator-framework/v1\nkind: ScopeInstance\nmetadata:\n  name: scopeinstance-sample\nspec:\n  scopeTemplateName: scopetemplate-sample\n  namespaces:\n  - default\n  - test\n```\n\n```\n$ kubectl apply -f config/samples/operators_v1_scopeinstance.yaml\nscopeinstance.operators.io.operator-framework/scopeinstance-sample configured\n```\n\nNow, verify that there is a `RoleBinding` created in both namespaces:\n\n```\n$ kubectl get rolebindings --all-namespaces\nNAMESPACE   NAME         ROLE               AGE\ndefault     test-x8hdc   ClusterRole/test   37m\ntest        test-64hk7   ClusterRole/test   80s\n```\n\nNow, update the `ScopeInstance` and remove the `default` namespace from it:\n\n```\napiVersion: operators.io.operator-framework/v1\nkind: ScopeInstance\nmetadata:\n  name: scopeinstance-sample\nspec:\n  scopeTemplateName: scopetemplate-sample\n  namespaces:\n  - test\n```\n\n```\n$ kubectl apply -f config/samples/operators_v1_scopeinstance.yaml\nscopeinstance.operators.io.operator-framework/scopeinstance-sample configured\n```\n\nVerify that the `RoleBinding` in the `default` namespace is removed but the `RoleBinding` in the `test` namespace still exists:\n\n```\nNAMESPACE   NAME         ROLE               AGE\ntest        test-64hk7   ClusterRole/test   2m45s\n```\n\nIn the end, remove all namespaces from the `ScopeInstance` and verify that it creates a `ClusterRoleBinding` and removes any associated `RoleBinding`s:\n\n```\napiVersion: operators.io.operator-framework/v1\nkind: ScopeInstance\nmetadata:\n  name: scopeinstance-sample\nspec:\n  scopeTemplateName: scopetemplate-sample\n```\n\n```\n$ kubectl apply -f config/samples/operators_v1_scopeinstance.yaml\nscopeinstance.operators.io.operator-framework/scopeinstance-sample configured\n```\n\nVerify `RoleBinding`s are removed:\n\n```\n$ kubectl get rolebindings --all-namespaces \nNo resources found\n```\n\nVerify `ClusterRoleBinding` is created:\n\n```\n$ kubectl get clusterrolebindings\nNAME         ROLE               AGE\ntest-mskl2   ClusterRole/test   50s\n```\n\n## How to contribute\n\nFor contributing guidelines, see the [CONTRIBUTING.md][contributing-file] file.\n\n## License\n\nOria Operator is under Apache 2.0 license. See the [LICENSE][license_file] file for details.\n\n[controller-runtime]: https://github.com/kubernetes-sigs/controller-runtime\n[license_file]:./LICENSE\n[of-home]: https://github.com/operator-framework\n[of-blog]: https://www.openshift.com/blog/introducing-the-operator-framework\n[operator-link]: https://kubernetes.io/docs/concepts/extend-kubernetes/operator/\n[sdk-docs]: https://sdk.operatorframework.io\n[operator-framework-community]: https://github.com/operator-framework/community\n[operator-framework-communication]: https://github.com/operator-framework/community#get-involved\n[operator-framework-meetings]: https://github.com/operator-framework/community#meetings\n[contributing-file]:./CONTRIBUTING.md\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foperator-framework%2Foria-operator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Foperator-framework%2Foria-operator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foperator-framework%2Foria-operator/lists"}