Feature: allow flexible subjects for clusterrolebindings/rolebindings

[stjudecloud-cloudy]

In Azure AKS users can have access granted by either by their AD group membership, or directly using AD user ID. It would be extremely useful, if user access management could be done using permission-manager.

In order to achieve it, it would be necessary to allow different kind of subjects for both clusterrolebinding and rolebinding.
This is an example of clusterrolebinding used for assigning RBAC to AD group:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: test
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-developer
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: id-redacted

Similarly kind: User can be used to grant a specific user access to Kubernetes using RBAC.
Ideally, web interface should allow creation of different kind of subjects and used created subjects for access grants.

[angelbarrera92]

Uhmm we have to analyze it. Currently, when a permissionmanageruser is created, then a serviceaccount is created too. So all bindings stick to the serviceaccount subject.

Changes to 🔝 behaviour is a major change that we have to evaluate, but we understand the situation.

[sandeepcp]

This is just creating a service account. We would like to see more functionality like Role Role bindings
As per the document, service account is just for application and jobs