{"id":30754305,"url":"https://github.com/reddit/achilles-token-controller","last_synced_at":"2025-09-14T15:05:45.600Z","repository":{"id":268836864,"uuid":"878102721","full_name":"reddit/achilles-token-controller","owner":"reddit","description":"Example Achilles SDK controller for tutorial purposes.","archived":false,"fork":false,"pushed_at":"2025-06-18T19:05:16.000Z","size":136,"stargazers_count":12,"open_issues_count":1,"forks_count":4,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-09-04T09:31:35.399Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/reddit.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-10-24T19:33:13.000Z","updated_at":"2025-07-10T20:09:06.000Z","dependencies_parsed_at":"2024-12-19T07:42:19.979Z","dependency_job_id":"c5dde3b7-09cb-4243-b222-3fc1acbd21a1","html_url":"https://github.com/reddit/achilles-token-controller","commit_stats":null,"previous_names":["reddit/achilles-token-controller"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/reddit/achilles-token-controller","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/reddit%2Fachilles-token-controller","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/reddit%2Fachilles-token-controller/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/reddit%2Fachilles-token-controller/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/reddit%2Fachilles-token-controller/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/reddit","download_url":"https://codeload.github.com/reddit/achilles-token-controller/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/reddit%2Fachilles-token-controller/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":275121427,"owners_count":25409034,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-14T02:00:10.474Z","response_time":75,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-09-04T09:08:06.311Z","updated_at":"2025-09-14T15:05:45.592Z","avatar_url":"https://github.com/reddit.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# achilles-token-controller\n\nThis is an example Achilles SDK based controller showcasing SDK basics.\nIt implements the `AccessToken` CRD, which allows creating a Kubernetes bearer token with\nspecified permissions.\n\n## Running the controller\n\n1. Clone the `achilles-token-controller`.\n\n    ```\n    git clone git@github.com:reddit/achilles-token-controller.git\n    ```\n\n1. Ensure you have [k3d](https://k3d.io/v5.7.4/#installation) installed.\n\n1. Deploy a local cluster with k3d.\n\n    ```sh\n    k3d cluster create orch\n    ```\n\n1. Verify the above command updated your `kubecontext` to the k3d cluster.\n\n    ```sh\n    kubectl config current-context\n    ```\n\n   The output should be:\n\n    ```txt\n    k3d-orch\n    ```\n1. Build the controller image.\n\n    ```sh\n    make docker\n    ```\n\n1. Load the controller image into the k3d cluster\n\n   ```sh\n   k3d image import achilles-token-controller:latest -c orch\n   ```\n\n1. Open `manifests/base/manager.yaml` and replace `image: REPLACE-ME` with `image: achilles-token-controller:latest`.\n   If this file doesn't exist, run `make generate`.\n1. Create the namespace for the controller\n   ```sh\n   kubectl create namespace achilles-system\n   ```\n1. Deploy the controller.\n    ```sh\n    kubectl apply -f manifests/base/manager.yaml\n    ```\n1. Test the controller with this example AccessToken.\n   ```yaml\n   apiVersion: group.example.com/v1alpha1\n   kind: AccessToken\n   metadata:\n     name: test\n     namespace: default\n   spec:\n     namespacedPermissions:\n     - namespace: default\n       rules:\n       - apiGroups: [\"\"]\n         resources: [\"configmaps\"]\n         verbs:     [\"*\"]\n     - namespace: kube-system\n       rules:\n       - apiGroups: [\"\"]\n         resources: [\"configmaps\"]\n         verbs:     [\"get\", \"list\", \"watch\"]\n     clusterPermissions:\n       rules:\n       - apiGroups: [\"\"]\n         resources: [\"namespaces\"]\n         verbs:     [\"get\", \"list\", \"watch\"]\n    ```\n1. Check that the AccessToken was processed successfully\n   ```sh\n   kubectl get accesstoken test -n default -oyaml\n   ```\n\n   You should see the following status condition, indicating that the object was instantiated successfully.\n\n   ```yaml\n    status:\n      conditions:\n      - lastTransitionTime: \"2024-10-24T17:33:35Z\"\n        message: All conditions successful.\n        observedGeneration: 1\n        reason: ConditionsSuccessful\n        status: \"True\"\n        type: Ready\n    ```\n   You'll also see that it provisioned a deploy token as a secret, whose name is under `status.tokenSecretRef`.\n\n1. As a bonus, we can use `kubectl auth can-i` ([docs here](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_auth/kubectl_auth_can-i/))\n   check that the deploy token in fact has the permissions that we declared for it.\n   We first need to locate the Service Account that the AccessToken was created for, which can be found under `status.resourceRefs`\n   with `kind: ServiceAccount`.\n\n    ```sh\n    kubectl auth can-i --as=system:serviceaccount:default:test create configmaps -n default # should report yes\n    kubectl auth can-i --as=system:serviceaccount:default:test create configmaps -n kube-system # should report no\n    kubectl auth can-i --as=system:serviceaccount:default:test list configmaps -n kube-system # should report yes\n    kubectl auth can-i --as=system:serviceaccount:default:test create namespaces # should report no\n    kubectl auth can-i --as=system:serviceaccount:default:test list namespaces # should report yes\n    ```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Freddit%2Fachilles-token-controller","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Freddit%2Fachilles-token-controller","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Freddit%2Fachilles-token-controller/lists"}