diff --git a/extensions/kubernetes/spi/src/main/java/io/quarkus/kubernetes/spi/KubernetesRoleBindingBuildItem.java b/extensions/kubernetes/spi/src/main/java/io/quarkus/kubernetes/spi/KubernetesRoleBindingBuildItem.java
index 7187c92d1da7a..cfa503f680c68 100644
--- a/extensions/kubernetes/spi/src/main/java/io/quarkus/kubernetes/spi/KubernetesRoleBindingBuildItem.java
+++ b/extensions/kubernetes/spi/src/main/java/io/quarkus/kubernetes/spi/KubernetesRoleBindingBuildItem.java
@@ -5,9 +5,7 @@
/**
* Produce this build item to request the Kubernetes extension to generate
- * a Kubernetes {@code RoleBinding} resource. The configuration here is limited;
- * in particular, you can't specify subjects of the role binding. The role will always
- * be bound to the application's service account.
+ * a Kubernetes {@code RoleBinding} resource.
*
* Note that this can't be used to generate a {@code ClusterRoleBinding}.
*/
@@ -17,6 +15,7 @@ public final class KubernetesRoleBindingBuildItem extends BaseTargetable {
* Can be {@code null}, in which case the resource name is autogenerated.
*/
private final String name;
+ private final String namespace;
/**
* RoleRef configuration.
*/
@@ -47,8 +46,15 @@ public KubernetesRoleBindingBuildItem(String name, String role, boolean clusterW
public KubernetesRoleBindingBuildItem(String name, String target, Map labels, RoleRef roleRef,
Subject... subjects) {
+ this(name, null, target, labels, roleRef, subjects);
+ }
+
+ public KubernetesRoleBindingBuildItem(String name, String namespace, String target, Map labels,
+ RoleRef roleRef,
+ Subject... subjects) {
super(target);
this.name = name;
+ this.namespace = namespace;
this.labels = labels;
this.roleRef = roleRef;
this.subjects = subjects;
@@ -58,6 +64,10 @@ public String getName() {
return this.name;
}
+ public String getNamespace() {
+ return namespace;
+ }
+
public Map getLabels() {
return labels;
}
diff --git a/extensions/kubernetes/vanilla/deployment/src/main/java/io/quarkus/kubernetes/deployment/AddRoleBindingResourceDecorator.java b/extensions/kubernetes/vanilla/deployment/src/main/java/io/quarkus/kubernetes/deployment/AddRoleBindingResourceDecorator.java
index 4db922a841a59..414a906c32b32 100644
--- a/extensions/kubernetes/vanilla/deployment/src/main/java/io/quarkus/kubernetes/deployment/AddRoleBindingResourceDecorator.java
+++ b/extensions/kubernetes/vanilla/deployment/src/main/java/io/quarkus/kubernetes/deployment/AddRoleBindingResourceDecorator.java
@@ -21,11 +21,12 @@ public class AddRoleBindingResourceDecorator extends ResourceProvidingDecorator<
private final String deploymentName;
private final String name;
+ private final String namespace;
private final Map labels;
private final RoleRef roleRef;
private final Subject[] subjects;
- public AddRoleBindingResourceDecorator(String deploymentName, String name, Map labels,
+ public AddRoleBindingResourceDecorator(String deploymentName, String name, String namespace, Map labels,
RoleRef roleRef,
Subject... subjects) {
this.deploymentName = deploymentName;
@@ -33,6 +34,7 @@ public AddRoleBindingResourceDecorator(String deploymentName, String name, Map roleBindingLabels = new HashMap<>();
- roleBindingLabels.putAll(labels);
+ Map roleBindingLabels = new HashMap<>(labels);
getDeploymentMetadata(list, deploymentName)
.map(ObjectMeta::getLabels)
.ifPresent(roleBindingLabels::putAll);
- RoleBindingBuilder builder = new RoleBindingBuilder()
- .withNewMetadata()
+ final var metadataBuilder = new RoleBindingBuilder().withNewMetadata()
.withName(name)
- .withLabels(roleBindingLabels)
+ .withLabels(roleBindingLabels);
+ // add namespace if it was specified
+ if (namespace != null) {
+ metadataBuilder.withNamespace(namespace);
+ }
+ RoleBindingBuilder builder = metadataBuilder
.endMetadata()
.withNewRoleRef()
.withKind(roleRef.isClusterWide() ? CLUSTER_ROLE : ROLE)
diff --git a/extensions/kubernetes/vanilla/deployment/src/main/java/io/quarkus/kubernetes/deployment/KubernetesCommonHelper.java b/extensions/kubernetes/vanilla/deployment/src/main/java/io/quarkus/kubernetes/deployment/KubernetesCommonHelper.java
index c0008f7f30615..00b288994d0ac 100644
--- a/extensions/kubernetes/vanilla/deployment/src/main/java/io/quarkus/kubernetes/deployment/KubernetesCommonHelper.java
+++ b/extensions/kubernetes/vanilla/deployment/src/main/java/io/quarkus/kubernetes/deployment/KubernetesCommonHelper.java
@@ -370,6 +370,7 @@ private static Collection createRbacDecorators(String name,
Targetable.filteredByTarget(roleBindingsFromExtensions, target)
.map(rb -> new DecoratorBuildItem(target, new AddRoleBindingResourceDecorator(name,
Strings.isNotNullOrEmpty(rb.getName()) ? rb.getName() : name + "-" + rb.getRoleRef().getName(),
+ rb.getNamespace(),
rb.getLabels(),
rb.getRoleRef(),
rb.getSubjects())))
@@ -405,6 +406,7 @@ private static Collection createRbacDecorators(String name,
boolean clusterWide = roleBinding.clusterWide.orElse(defaultClusterWide);
result.add(new DecoratorBuildItem(target, new AddRoleBindingResourceDecorator(name,
rbName,
+ null, // todo: should namespace be providable via config?
roleBinding.labels,
new RoleRef(roleName, clusterWide),
subjects.toArray(new Subject[0]))));
@@ -443,6 +445,7 @@ private static Collection createRbacDecorators(String name,
requiresServiceAccount = true;
result.add(new DecoratorBuildItem(target, new AddRoleBindingResourceDecorator(name,
name,
+ null, // todo: should namespace be providable via config?
Collections.emptyMap(),
new RoleRef(defaultRoleName, defaultClusterWide),
new Subject(null, SERVICE_ACCOUNT,
@@ -454,6 +457,7 @@ private static Collection createRbacDecorators(String name,
requiresServiceAccount = true;
result.add(new DecoratorBuildItem(target, new AddRoleBindingResourceDecorator(name,
name + "-" + DEFAULT_ROLE_NAME_VIEW,
+ null, // todo: should namespace be providable via config?
Collections.emptyMap(),
new RoleRef(DEFAULT_ROLE_NAME_VIEW, true),
new Subject(null, SERVICE_ACCOUNT,