From 04e5c0bcaeb8f92fa8cba4a1ca193f383ec0bc90 Mon Sep 17 00:00:00 2001 From: Scot Wells Date: Wed, 20 May 2026 13:04:47 -0500 Subject: [PATCH 1/2] feat: add location-viewer role and include in networking-viewer MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The location-admin role existed in isolation — nothing inherited it, so even org owners with full networking access were forbidden from listing locations. Adds a read-only location-viewer role and wires it into networking-viewer so the full viewer/admin hierarchy has location read access. Co-Authored-By: Claude Sonnet 4.6 --- config/iam/roles/kustomization.yaml | 1 + config/iam/roles/location-viewer.yaml | 13 +++++++++++++ config/iam/roles/networking-viewer.yaml | 1 + 3 files changed, 15 insertions(+) create mode 100644 config/iam/roles/location-viewer.yaml diff --git a/config/iam/roles/kustomization.yaml b/config/iam/roles/kustomization.yaml index 627fb1f3..0ae09ac6 100644 --- a/config/iam/roles/kustomization.yaml +++ b/config/iam/roles/kustomization.yaml @@ -9,6 +9,7 @@ resources: - gateway-admin.yaml - gateway-viewer.yaml - location-admin.yaml + - location-viewer.yaml - networking-admin.yaml - networking-viewer.yaml - domain-admin.yaml diff --git a/config/iam/roles/location-viewer.yaml b/config/iam/roles/location-viewer.yaml new file mode 100644 index 00000000..545d282d --- /dev/null +++ b/config/iam/roles/location-viewer.yaml @@ -0,0 +1,13 @@ +apiVersion: iam.miloapis.com/v1alpha1 +kind: Role +metadata: + name: networking.datumapis.com-location-viewer + annotations: + kubernetes.io/display-name: Location Viewer + kubernetes.io/description: "View access to location resources" +spec: + launchStage: Beta + includedPermissions: + - networking.datumapis.com/locations.list + - networking.datumapis.com/locations.get + - networking.datumapis.com/locations.watch diff --git a/config/iam/roles/networking-viewer.yaml b/config/iam/roles/networking-viewer.yaml index 3171c5ec..ac01ed34 100644 --- a/config/iam/roles/networking-viewer.yaml +++ b/config/iam/roles/networking-viewer.yaml @@ -11,6 +11,7 @@ spec: - name: networking.datumapis.com-connector-viewer - name: networking.datumapis.com-gateway-viewer - name: networking.datumapis.com-domain-viewer + - name: networking.datumapis.com-location-viewer includedPermissions: - networking.datumapis.com/networks.list - networking.datumapis.com/networks.get From 5385bf0b5c0c376b8aced2eeed9b9f6ba16db49e Mon Sep 17 00:00:00 2001 From: Scot Wells Date: Wed, 20 May 2026 13:58:50 -0500 Subject: [PATCH 2/2] fix: decouple location-viewer from networking-viewer hierarchy Location resources are expected to move out of the networking group soon; grant location view access via assignable org roles directly rather than through the networking-viewer inheritance chain. Co-Authored-By: Claude Sonnet 4.6 --- config/iam/roles/networking-viewer.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/config/iam/roles/networking-viewer.yaml b/config/iam/roles/networking-viewer.yaml index ac01ed34..3171c5ec 100644 --- a/config/iam/roles/networking-viewer.yaml +++ b/config/iam/roles/networking-viewer.yaml @@ -11,7 +11,6 @@ spec: - name: networking.datumapis.com-connector-viewer - name: networking.datumapis.com-gateway-viewer - name: networking.datumapis.com-domain-viewer - - name: networking.datumapis.com-location-viewer includedPermissions: - networking.datumapis.com/networks.list - networking.datumapis.com/networks.get