Got the feeling from kubectl get clusterrole ...

that having access control rules, in particular cluster scoped,
lying around without knowing where they come from
will be unmaintainable over time. Labels show up nicely in describe.

2 files changed, 8 insertions, 0 deletions

diff --git a/rbac-namespace-default/events-watcher.yml b/rbac-namespace-default/events-watcher.yml
index 6194e84..3b2e76d 100644
--- a/rbac-namespace-default/events-watcher.yml
+++ b/rbac-namespace-default/events-watcher.yml
@@ -4,6 +4,8 @@ kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
   name: events-watcher
+  labels:
+    origin: github.com_Yolean_kubernetes-kafka
 rules:
 - apiGroups:
   - ""
@@ -16,6 +18,8 @@ kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
   name: kafka-events-watcher
+  labels:
+    origin: github.com_Yolean_kubernetes-kafka
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
diff --git a/rbac-namespace-default/node-reader.yml b/rbac-namespace-default/node-reader.yml
index 3a133a8..0454579 100644
--- a/rbac-namespace-default/node-reader.yml
+++ b/rbac-namespace-default/node-reader.yml
@@ -4,6 +4,8 @@ kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
   name: node-reader
+  labels:
+    origin: github.com_Yolean_kubernetes-kafka
 rules:
 - apiGroups:
   - ""
@@ -16,6 +18,8 @@ kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
   name: kafka-node-reader
+  labels:
+    origin: github.com_Yolean_kubernetes-kafka
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole