ClusterRolesDiffer returns true if the supplied objects are different ClusterRoles.

Expand RBAC policy rules into our granular rules.

NewClusterRoleBackedValidator creates a ClusterRoleBackedValidator backed by the named RBAC ClusterRole.

NewReconciler returns a Reconciler of ProviderRevisions.

RenderClusterRoles returns ClusterRoles for the supplied ProviderRevision.

Setup adds a controller that reconciles a ProviderRevision by creating a series of opinionated ClusterRoles that may be bound to allow access to the resources it defines.

SystemClusterRoleName returns the name of the 'system' cluster role - i.e.

VerySecureValidator is a PermissionRequestsValidatorFn that rejects all requested permissions.

WithClusterRoleRenderer specifies how the Reconciler should render RBAC ClusterRoles.

WithLogger specifies how the Reconciler should log messages.

WithPermissionRequestsValidator specifies how the Reconciler should validate requests for extra RBAC permissions.

WithRecorder specifies how the Reconciler should record Kubernetes events.

A ClusterRoleBackedValidator is a PermissionRequestsValidator that validates permission requests by comparing them to an RBAC ClusterRole.

EnqueueRequestForAllRevisionsWithRequests enqueues a request for all provider revisions with permission requests when the ClusterRole that enumerates allowed permissions changes.

A Reconciler reconciles ProviderRevisions.

A Rule represents a single, granular RBAC rule.

A ClusterRoleRenderer renders ClusterRoles for the given CRDs.

A PermissionRequestsValidator validates requested RBAC rules.

A ClusterRoleRenderFn renders ClusterRoles for the supplied CRDs.

A PermissionRequestsValidatorFn validates requested RBAC rules.

ReconcilerOption is used to configure the Reconciler.