From d7f5713bbf22eeba256245f9c3a706998138694d Mon Sep 17 00:00:00 2001 From: justinsb Date: Sat, 26 Apr 2025 09:49:24 -0400 Subject: [PATCH] guestbook-operator: update controller-gen We want up-to-date annotations on the CRD for patches. --- examples/guestbook-operator/Makefile | 6 +- .../api/v1alpha1/zz_generated.deepcopy.go | 1 - .../crd/addons.example.org_guestbooks.yaml | 269 ------------------ .../bases/addons.example.org_guestbooks.yaml | 44 +-- .../addons.example.org_guestbookspecs.yaml | 252 ---------------- .../guestbook-operator/config/rbac/role.yaml | 2 - 6 files changed, 28 insertions(+), 546 deletions(-) delete mode 100644 examples/guestbook-operator/config/crd/addons.example.org_guestbooks.yaml delete mode 100644 examples/guestbook-operator/config/crd/bases/addons.example.org_guestbookspecs.yaml diff --git a/examples/guestbook-operator/Makefile b/examples/guestbook-operator/Makefile index c861790b..84ceac08 100644 --- a/examples/guestbook-operator/Makefile +++ b/examples/guestbook-operator/Makefile @@ -1,8 +1,8 @@ # Image URL to use all building/pushing image targets IMG ?= controller:latest -# Produce CRDs that work back to Kubernetes 1.11 (no version conversion) -CRD_OPTIONS ?= "crd:trivialVersions=true,preserveUnknownFields=false" +# Produce v1 CRDs +CRD_OPTIONS ?= "crd:crdVersions=v1" # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set) ifeq (,$(shell go env GOBIN)) @@ -98,7 +98,7 @@ CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen ## Tool Versions KUSTOMIZE_VERSION ?= v3.8.7 -CONTROLLER_TOOLS_VERSION ?= v0.4.1 +CONTROLLER_TOOLS_VERSION ?= v0.17.3 KUSTOMIZE_INSTALL_SCRIPT ?= "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" .PHONY: kustomize diff --git a/examples/guestbook-operator/api/v1alpha1/zz_generated.deepcopy.go b/examples/guestbook-operator/api/v1alpha1/zz_generated.deepcopy.go index 4a9e830c..9358a77f 100644 --- a/examples/guestbook-operator/api/v1alpha1/zz_generated.deepcopy.go +++ b/examples/guestbook-operator/api/v1alpha1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* Copyright 2020 The Kubernetes Authors. diff --git a/examples/guestbook-operator/config/crd/addons.example.org_guestbooks.yaml b/examples/guestbook-operator/config/crd/addons.example.org_guestbooks.yaml deleted file mode 100644 index 86cea890..00000000 --- a/examples/guestbook-operator/config/crd/addons.example.org_guestbooks.yaml +++ /dev/null @@ -1,269 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - creationTimestamp: null - name: guestbooks.addons.example.org -spec: - group: addons.example.org - names: - kind: Guestbook - plural: guestbooks - scope: "" - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: Guestbook is the Schema for the guestbooks API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - properties: - annotations: - additionalProperties: - type: string - description: 'Annotations is an unstructured key value map stored - with a resource that may be set by external tools to store and retrieve - arbitrary metadata. They are not queryable and should be preserved - when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations' - type: object - clusterName: - description: The name of the cluster which the object belongs to. - This is used to distinguish resources with same name and namespace - in different clusters. This field is not set anywhere right now - and apiserver is going to ignore it if set in create or update request. - type: string - creationTimestamp: - description: "CreationTimestamp is a timestamp representing the server - time when this object was created. It is not guaranteed to be set - in happens-before order across separate operations. Clients may - not set this value. It is represented in RFC3339 form and is in - UTC. \n Populated by the system. Read-only. Null for lists. More - info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" - format: date-time - type: string - deletionGracePeriodSeconds: - description: Number of seconds allowed for this object to gracefully - terminate before it will be removed from the system. Only set when - deletionTimestamp is also set. May only be shortened. Read-only. - format: int64 - type: integer - deletionTimestamp: - description: "DeletionTimestamp is RFC 3339 date and time at which - this resource will be deleted. This field is set by the server when - a graceful deletion is requested by the user, and is not directly - settable by a client. The resource is expected to be deleted (no - longer visible from resource lists, and not reachable by name) after - the time in this field, once the finalizers list is empty. As long - as the finalizers list contains items, deletion is blocked. Once - the deletionTimestamp is set, this value may not be unset or be - set further into the future, although it may be shortened or the - resource may be deleted prior to this time. For example, a user - may request that a pod is deleted in 30 seconds. The Kubelet will - react by sending a graceful termination signal to the containers - in the pod. After that 30 seconds, the Kubelet will send a hard - termination signal (SIGKILL) to the container and after cleanup, - remove the pod from the API. In the presence of network partitions, - this object may still exist after this timestamp, until an administrator - or automated process can determine the resource is fully terminated. - If not set, graceful deletion of the object has not been requested. - \n Populated by the system when a graceful deletion is requested. - Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" - format: date-time - type: string - finalizers: - description: Must be empty before the object is deleted from the registry. - Each entry is an identifier for the responsible component that will - remove the entry from the list. If the deletionTimestamp of the - object is non-nil, entries in this list can only be removed. - items: - type: string - type: array - generateName: - description: "GenerateName is an optional prefix, used by the server, - to generate a unique name ONLY IF the Name field has not been provided. - If this field is used, the name returned to the client will be different - than the name passed. This value will also be combined with a unique - suffix. The provided value has the same validation rules as the - Name field, and may be truncated by the length of the suffix required - to make the value unique on the server. \n If this field is specified - and the generated name exists, the server will NOT return a 409 - - instead, it will either return 201 Created or 500 with Reason - ServerTimeout indicating a unique name could not be found in the - time allotted, and the client should retry (optionally after the - time indicated in the Retry-After header). \n Applied only if Name - is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency" - type: string - generation: - description: A sequence number representing a specific generation - of the desired state. Populated by the system. Read-only. - format: int64 - type: integer - labels: - additionalProperties: - type: string - description: 'Map of string keys and values that can be used to organize - and categorize (scope and select) objects. May match selectors of - replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels' - type: object - managedFields: - description: ManagedFields maps workflow-id and version to the set - of fields that are managed by that workflow. This is mostly for - internal housekeeping, and users typically shouldn't need to set - or understand this field. A workflow can be the user's name, a controller's - name, or the name of a specific apply path like "ci-cd". The set - of fields is always in the version that the workflow used when modifying - the object. - items: - properties: - apiVersion: - description: APIVersion defines the version of this resource - that this field set applies to. The format is "group/version" - just like the top-level APIVersion field. It is necessary - to track the version of a field set because it cannot be automatically - converted. - type: string - fieldsType: - description: 'FieldsType is the discriminator for the different - fields format and version. There is currently only one possible - value: "FieldsV1"' - type: string - fieldsV1: - description: FieldsV1 holds the first JSON version format as - described in the "FieldsV1" type. - type: object - manager: - description: Manager is an identifier of the workflow managing - these fields. - type: string - operation: - description: Operation is the type of operation which lead to - this ManagedFieldsEntry being created. The only valid values - for this field are 'Apply' and 'Update'. - type: string - time: - description: Time is timestamp of when these fields were set. - It should always be empty if Operation is 'Apply' - format: date-time - type: string - type: object - type: array - name: - description: 'Name must be unique within a namespace. Is required - when creating resources, although some resources may allow a client - to request the generation of an appropriate name automatically. - Name is primarily intended for creation idempotence and configuration - definition. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/identifiers#names' - type: string - namespace: - description: "Namespace defines the space within each name must be - unique. An empty namespace is equivalent to the \"default\" namespace, - but \"default\" is the canonical representation. Not all objects - are required to be scoped to a namespace - the value of this field - for those objects will be empty. \n Must be a DNS_LABEL. Cannot - be updated. More info: http://kubernetes.io/docs/user-guide/namespaces" - type: string - ownerReferences: - description: List of objects depended by this object. If ALL objects - in the list have been deleted, this object will be garbage collected. - If this object is managed by a controller, then an entry in this - list will point to this controller, with the controller field set - to true. There cannot be more than one managing controller. - items: - properties: - apiVersion: - description: API version of the referent. - type: string - blockOwnerDeletion: - description: If true, AND if the owner has the "foregroundDeletion" - finalizer, then the owner cannot be deleted from the key-value - store until this reference is removed. Defaults to false. - To set this field, a user needs "delete" permission of the - owner, otherwise 422 (Unprocessable Entity) will be returned. - type: boolean - controller: - description: If true, this reference points to the managing - controller. - type: boolean - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#names' - type: string - uid: - description: 'UID of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#uids' - type: string - required: - - apiVersion - - kind - - name - - uid - type: object - type: array - resourceVersion: - description: "An opaque value that represents the internal version - of this object that can be used by clients to determine when objects - have changed. May be used for optimistic concurrency, change detection, - and the watch operation on a resource or set of resources. Clients - must treat these values as opaque and passed unmodified back to - the server. They may only be valid for a particular resource or - set of resources. \n Populated by the system. Read-only. Value must - be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency" - type: string - selfLink: - description: "SelfLink is a URL representing this object. Populated - by the system. Read-only. \n DEPRECATED Kubernetes will stop propagating - this field in 1.20 release and the field is planned to be removed - in 1.21 release." - type: string - uid: - description: "UID is the unique in time and space value for this object. - It is typically generated by the server on successful creation of - a resource and is not allowed to change on PUT operations. \n Populated - by the system. Read-only. More info: http://kubernetes.io/docs/user-guide/identifiers#uids" - type: string - type: object - spec: - properties: - channel: - description: 'Channel specifies a channel that can be used to resolve - a specific addon, eg: stable It will be ignored if Version is specified' - type: string - patches: - items: - type: object - type: array - version: - description: Version specifies the exact addon version to be deployed, - eg 1.2.3 It should not be specified if Channel is specified - type: string - type: object - status: - properties: - errors: - items: - type: string - type: array - healthy: - type: boolean - required: - - healthy - type: object - type: object - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/examples/guestbook-operator/config/crd/bases/addons.example.org_guestbooks.yaml b/examples/guestbook-operator/config/crd/bases/addons.example.org_guestbooks.yaml index ccc214ad..f11a30c5 100644 --- a/examples/guestbook-operator/config/crd/bases/addons.example.org_guestbooks.yaml +++ b/examples/guestbook-operator/config/crd/bases/addons.example.org_guestbooks.yaml @@ -1,11 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.4.1 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.17.3 name: guestbooks.addons.example.org spec: group: addons.example.org @@ -22,14 +20,19 @@ spec: description: Guestbook is the Schema for the guestbooks API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -37,16 +40,20 @@ spec: description: GuestbookSpec defines the desired state of Guestbook properties: channel: - description: 'Channel specifies a channel that can be used to resolve - a specific addon, eg: stable It will be ignored if Version is specified' + description: |- + Channel specifies a channel that can be used to resolve a specific addon, eg: stable + It will be ignored if Version is specified type: string patches: items: type: object + x-kubernetes-preserve-unknown-fields: true type: array + x-kubernetes-preserve-unknown-fields: true version: - description: Version specifies the exact addon version to be deployed, - eg 1.2.3 It should not be specified if Channel is specified + description: |- + Version specifies the exact addon version to be deployed, eg 1.2.3 + It should not be specified if Channel is specified type: string type: object status: @@ -58,19 +65,18 @@ spec: type: array healthy: type: boolean + observedGeneration: + default: 0 + format: int64 + type: integer phase: type: string required: - healthy + - observedGeneration type: object type: object served: true storage: true subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/examples/guestbook-operator/config/crd/bases/addons.example.org_guestbookspecs.yaml b/examples/guestbook-operator/config/crd/bases/addons.example.org_guestbookspecs.yaml deleted file mode 100644 index 66d55c47..00000000 --- a/examples/guestbook-operator/config/crd/bases/addons.example.org_guestbookspecs.yaml +++ /dev/null @@ -1,252 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - creationTimestamp: null - name: guestbookspecs.addons.example.org -spec: - group: addons.example.org - names: - kind: GuestbookSpec - plural: guestbookspecs - scope: "" - validation: - openAPIV3Schema: - description: GuestbookSpec defines the desired state of Guestbook - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - channel: - description: 'Channel specifies a channel that can be used to resolve a - specific addon, eg: stable It will be ignored if Version is specified' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - properties: - annotations: - additionalProperties: - type: string - description: 'Annotations is an unstructured key value map stored with - a resource that may be set by external tools to store and retrieve - arbitrary metadata. They are not queryable and should be preserved - when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations' - type: object - clusterName: - description: The name of the cluster which the object belongs to. This - is used to distinguish resources with same name and namespace in different - clusters. This field is not set anywhere right now and apiserver is - going to ignore it if set in create or update request. - type: string - creationTimestamp: - description: "CreationTimestamp is a timestamp representing the server - time when this object was created. It is not guaranteed to be set - in happens-before order across separate operations. Clients may not - set this value. It is represented in RFC3339 form and is in UTC. \n - Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" - format: date-time - type: string - deletionGracePeriodSeconds: - description: Number of seconds allowed for this object to gracefully - terminate before it will be removed from the system. Only set when - deletionTimestamp is also set. May only be shortened. Read-only. - format: int64 - type: integer - deletionTimestamp: - description: "DeletionTimestamp is RFC 3339 date and time at which this - resource will be deleted. This field is set by the server when a graceful - deletion is requested by the user, and is not directly settable by - a client. The resource is expected to be deleted (no longer visible - from resource lists, and not reachable by name) after the time in - this field, once the finalizers list is empty. As long as the finalizers - list contains items, deletion is blocked. Once the deletionTimestamp - is set, this value may not be unset or be set further into the future, - although it may be shortened or the resource may be deleted prior - to this time. For example, a user may request that a pod is deleted - in 30 seconds. The Kubelet will react by sending a graceful termination - signal to the containers in the pod. After that 30 seconds, the Kubelet - will send a hard termination signal (SIGKILL) to the container and - after cleanup, remove the pod from the API. In the presence of network - partitions, this object may still exist after this timestamp, until - an administrator or automated process can determine the resource is - fully terminated. If not set, graceful deletion of the object has - not been requested. \n Populated by the system when a graceful deletion - is requested. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" - format: date-time - type: string - finalizers: - description: Must be empty before the object is deleted from the registry. - Each entry is an identifier for the responsible component that will - remove the entry from the list. If the deletionTimestamp of the object - is non-nil, entries in this list can only be removed. - items: - type: string - type: array - generateName: - description: "GenerateName is an optional prefix, used by the server, - to generate a unique name ONLY IF the Name field has not been provided. - If this field is used, the name returned to the client will be different - than the name passed. This value will also be combined with a unique - suffix. The provided value has the same validation rules as the Name - field, and may be truncated by the length of the suffix required to - make the value unique on the server. \n If this field is specified - and the generated name exists, the server will NOT return a 409 - - instead, it will either return 201 Created or 500 with Reason ServerTimeout - indicating a unique name could not be found in the time allotted, - and the client should retry (optionally after the time indicated in - the Retry-After header). \n Applied only if Name is not specified. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency" - type: string - generation: - description: A sequence number representing a specific generation of - the desired state. Populated by the system. Read-only. - format: int64 - type: integer - labels: - additionalProperties: - type: string - description: 'Map of string keys and values that can be used to organize - and categorize (scope and select) objects. May match selectors of - replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels' - type: object - managedFields: - description: ManagedFields maps workflow-id and version to the set of - fields that are managed by that workflow. This is mostly for internal - housekeeping, and users typically shouldn't need to set or understand - this field. A workflow can be the user's name, a controller's name, - or the name of a specific apply path like "ci-cd". The set of fields - is always in the version that the workflow used when modifying the - object. - items: - properties: - apiVersion: - description: APIVersion defines the version of this resource that - this field set applies to. The format is "group/version" just - like the top-level APIVersion field. It is necessary to track - the version of a field set because it cannot be automatically - converted. - type: string - fieldsType: - description: 'FieldsType is the discriminator for the different - fields format and version. There is currently only one possible - value: "FieldsV1"' - type: string - fieldsV1: - description: FieldsV1 holds the first JSON version format as described - in the "FieldsV1" type. - type: object - manager: - description: Manager is an identifier of the workflow managing - these fields. - type: string - operation: - description: Operation is the type of operation which lead to - this ManagedFieldsEntry being created. The only valid values - for this field are 'Apply' and 'Update'. - type: string - time: - description: Time is timestamp of when these fields were set. - It should always be empty if Operation is 'Apply' - format: date-time - type: string - type: object - type: array - name: - description: 'Name must be unique within a namespace. Is required when - creating resources, although some resources may allow a client to - request the generation of an appropriate name automatically. Name - is primarily intended for creation idempotence and configuration definition. - Cannot be updated. More info: http://kubernetes.io/docs/user-guide/identifiers#names' - type: string - namespace: - description: "Namespace defines the space within each name must be unique. - An empty namespace is equivalent to the \"default\" namespace, but - \"default\" is the canonical representation. Not all objects are required - to be scoped to a namespace - the value of this field for those objects - will be empty. \n Must be a DNS_LABEL. Cannot be updated. More info: - http://kubernetes.io/docs/user-guide/namespaces" - type: string - ownerReferences: - description: List of objects depended by this object. If ALL objects - in the list have been deleted, this object will be garbage collected. - If this object is managed by a controller, then an entry in this list - will point to this controller, with the controller field set to true. - There cannot be more than one managing controller. - items: - properties: - apiVersion: - description: API version of the referent. - type: string - blockOwnerDeletion: - description: If true, AND if the owner has the "foregroundDeletion" - finalizer, then the owner cannot be deleted from the key-value - store until this reference is removed. Defaults to false. To - set this field, a user needs "delete" permission of the owner, - otherwise 422 (Unprocessable Entity) will be returned. - type: boolean - controller: - description: If true, this reference points to the managing controller. - type: boolean - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#names' - type: string - uid: - description: 'UID of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#uids' - type: string - required: - - apiVersion - - kind - - name - - uid - type: object - type: array - resourceVersion: - description: "An opaque value that represents the internal version of - this object that can be used by clients to determine when objects - have changed. May be used for optimistic concurrency, change detection, - and the watch operation on a resource or set of resources. Clients - must treat these values as opaque and passed unmodified back to the - server. They may only be valid for a particular resource or set of - resources. \n Populated by the system. Read-only. Value must be treated - as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency" - type: string - selfLink: - description: "SelfLink is a URL representing this object. Populated - by the system. Read-only. \n DEPRECATED Kubernetes will stop propagating - this field in 1.20 release and the field is planned to be removed - in 1.21 release." - type: string - uid: - description: "UID is the unique in time and space value for this object. - It is typically generated by the server on successful creation of - a resource and is not allowed to change on PUT operations. \n Populated - by the system. Read-only. More info: http://kubernetes.io/docs/user-guide/identifiers#uids" - type: string - type: object - patches: - items: - type: object - type: array - version: - description: Version specifies the exact addon version to be deployed, eg - 1.2.3 It should not be specified if Channel is specified - type: string - type: object - versions: - - name: v1alpha1 - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/examples/guestbook-operator/config/rbac/role.yaml b/examples/guestbook-operator/config/rbac/role.yaml index fdf834b2..0e54826a 100644 --- a/examples/guestbook-operator/config/rbac/role.yaml +++ b/examples/guestbook-operator/config/rbac/role.yaml @@ -1,9 +1,7 @@ - --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - creationTimestamp: null name: manager-role rules: - apiGroups: