add k8s rbac & project api

[mysekai7]

Summary by CodeRabbit

• Documentation
  • Added API docs for Kubernetes resources: Connector, Project, RBAC (ClusterRole, ClusterRoleBinding, Role, RoleBinding), ServiceAccount, and User — including collection and resource endpoints.
  • Added a User CustomResourceDefinition reference with schema, status/subresource, and display columns for API consumers.

[coderabbitai]

Warning

Rate limit exceeded

@JounQin has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 11 minutes and 24 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 11 minutes and 24 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6dbc97f2-010c-44da-a10e-daf4c7d19381

📥 Commits

Reviewing files that changed from the base of the PR and between 5d43da8 and 186749b.

📒 Files selected for processing (17)

• docs/en/apis/kubernetes_apis/connector/connector.mdx
• docs/en/apis/kubernetes_apis/connector/index.mdx
• docs/en/apis/kubernetes_apis/project/index.mdx
• docs/en/apis/kubernetes_apis/project/project.mdx
• docs/en/apis/kubernetes_apis/rbac/clusterrole.mdx
• docs/en/apis/kubernetes_apis/rbac/clusterrolebinding.mdx
• docs/en/apis/kubernetes_apis/rbac/index.mdx
• docs/en/apis/kubernetes_apis/rbac/role.mdx
• docs/en/apis/kubernetes_apis/rbac/rolebinding.mdx
• docs/en/apis/kubernetes_apis/serviceaccount/index.mdx
• docs/en/apis/kubernetes_apis/serviceaccount/serviceaccount.mdx
• docs/en/apis/kubernetes_apis/user/index.mdx
• docs/en/apis/kubernetes_apis/user/user.mdx
• docs/shared/crds/auth.alauda.io_users.yaml
• docs/shared/openapis/auth.alauda.io.v1.json
• docs/shared/openapis/dex.coreos.com.v1.json
• docs/shared/openapis/rbac.authorization.k8s.io.v1.json

Walkthrough

Adds new MDX documentation pages for multiple Kubernetes API groups (Connector, Project, RBAC, ServiceAccount, User) and a new CustomResourceDefinition YAML for the User resource (auth.alauda.io/v1).

Changes

Cohort / File(s)	Summary
API Documentation Index Files docs/en/apis/kubernetes_apis/connector/index.mdx, docs/en/apis/kubernetes_apis/project/index.mdx, docs/en/apis/kubernetes_apis/rbac/index.mdx, docs/en/apis/kubernetes_apis/serviceaccount/index.mdx, docs/en/apis/kubernetes_apis/user/index.mdx	Added new index MDX pages with front matter and an Overview component (empty overviewHeaders).
Connector API docs/en/apis/kubernetes_apis/connector/connector.mdx	New Connector API doc (dex.coreos.com/v1) with OpenAPIPath entries for namespace-scoped collection and resource routes.
Project API docs/en/apis/kubernetes_apis/project/project.mdx	New Project API doc (auth.alauda.io/v1) with OpenAPIPath entries and K8sCrd reference for projects.
RBAC APIs docs/en/apis/kubernetes_apis/rbac/clusterrole.mdx, docs/en/apis/kubernetes_apis/rbac/clusterrolebinding.mdx, docs/en/apis/kubernetes_apis/rbac/role.mdx, docs/en/apis/kubernetes_apis/rbac/rolebinding.mdx	Added RBAC resource docs (rbac.authorization.k8s.io/v1) with collection and resource OpenAPIPath entries; many paths include pathPrefix="/kubernetes/{cluster}".
ServiceAccount API docs/en/apis/kubernetes_apis/serviceaccount/index.mdx, docs/en/apis/kubernetes_apis/serviceaccount/serviceaccount.mdx	Added ServiceAccount index and resource MDX pages (v1) with namespace-scoped OpenAPIPath entries.
User API docs/en/apis/kubernetes_apis/user/index.mdx, docs/en/apis/kubernetes_apis/user/user.mdx	Added User index and resource docs (auth.alauda.io/v1) with OpenAPIPath entries and K8sCrd reference for users.
CRD Definition docs/shared/crds/auth.alauda.io_users.yaml	Added comprehensive CustomResourceDefinition for User (users.auth.alauda.io) including OpenAPI v3 schema, printer columns, status subresource, required fields, and preserved unknown fields.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers

• chinameok
• fanzy618

Poem

🐰 I nibble docs at break of day,
New CRDs and paths in tidy array—
Connectors, users, roles take flight,
Pages sprout beneath my light.
Hooray for docs; I hop away! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title mentions RBAC and project APIs, which are partially covered, but the PR adds significantly more: connector, serviceaccount, user, and rbac documentation.	Update the title to more accurately reflect all major additions, such as 'add kubernetes API documentation for rbac, project, connector, serviceaccount, and user' or similar.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch cherry-pick-AIT-62790-to-master

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

docs/shared/crds/auth.alauda.io_users.yaml (1)

107-107: Inconsistent timestamp field format.

Line 107: last_login_time is typed as string with no format specification. For consistency and validation, consider specifying format: date-time to ensure proper timestamp validation and serialization, aligning with the expired field structure (lines 71-76).

Apply this diff for consistency:

                last_login_time:
+                 format: date-time
                  type: string

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 548d110 and 6594ef3.

📒 Files selected for processing (14)

• docs/en/apis/kubernetes_apis/connector/connector.mdx (1 hunks)
• docs/en/apis/kubernetes_apis/connector/index.mdx (1 hunks)
• docs/en/apis/kubernetes_apis/project/index.mdx (1 hunks)
• docs/en/apis/kubernetes_apis/project/project.mdx (1 hunks)
• docs/en/apis/kubernetes_apis/rbac/clusterrole.mdx (1 hunks)
• docs/en/apis/kubernetes_apis/rbac/clusterrolebinding.mdx (1 hunks)
• docs/en/apis/kubernetes_apis/rbac/index.mdx (1 hunks)
• docs/en/apis/kubernetes_apis/rbac/role.mdx (1 hunks)
• docs/en/apis/kubernetes_apis/rbac/rolebinding.mdx (1 hunks)
• docs/en/apis/kubernetes_apis/serviceaccount/index.mdx (1 hunks)
• docs/en/apis/kubernetes_apis/serviceaccount/serviceaccount.mdx (1 hunks)
• docs/en/apis/kubernetes_apis/user/index.mdx (1 hunks)
• docs/en/apis/kubernetes_apis/user/user.mdx (1 hunks)
• docs/shared/crds/auth.alauda.io_users.yaml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Cloudflare Pages

🔇 Additional comments (12)

docs/en/apis/kubernetes_apis/connector/index.mdx (1)

1-6: Empty YAML front matter may omit necessary metadata.

The file has empty front matter delimiters (lines 1-2). Typically, MDX pages include metadata such as title, sidebar_label, or custom fields. Verify if this is intentional per your documentation template standards or if metadata should be populated.

docs/en/apis/kubernetes_apis/connector/connector.mdx (1)

1-5: LGTM!

The Connector API documentation is well-structured with appropriate OpenAPIPath entries for listing and retrieving individual connectors.

docs/en/apis/kubernetes_apis/rbac/rolebinding.mdx (1)

1-5: LGTM!

The RoleBinding documentation correctly uses namespace-scoped paths with pathPrefix for cluster context. The API endpoints are accurate for the resource type.

docs/en/apis/kubernetes_apis/rbac/clusterrole.mdx (1)

1-5: LGTM!

The ClusterRole documentation correctly uses cluster-scoped paths (no namespace segment) with appropriate pathPrefix. The API endpoints are accurate.

docs/en/apis/kubernetes_apis/project/index.mdx (1)

1-6: Empty YAML front matter may omit necessary metadata.

Similar to other index files, this page has empty front matter. Verify if metadata (e.g., title, sidebar_label) should be populated per your documentation standards.

docs/en/apis/kubernetes_apis/user/index.mdx (1)

1-6: Empty YAML front matter may omit necessary metadata.

This file follows the same pattern as other index files with empty front matter. Confirm whether metadata should be populated per your documentation template standards.

docs/en/apis/kubernetes_apis/serviceaccount/index.mdx (1)

1-6: Empty YAML front matter may omit necessary metadata.

Consistent with other index pages in this PR, this file has empty front matter. Verify if metadata should be included per your documentation standards.

docs/en/apis/kubernetes_apis/rbac/clusterrolebinding.mdx (1)

1-5: Fix incorrect API paths for cluster-scoped resource.

ClusterRoleBinding is a cluster-scoped Kubernetes resource and should not include /namespaces/{namespace}/ in its API paths. The current paths are incompatible with Kubernetes API conventions. Correct paths should omit the namespace segment, matching the structure used in clusterrole.mdx.

Apply this diff to correct the API paths:

 # ClusterRoleBinding [rbac.authorization.k8s.io/v1]
 
-<OpenAPIPath path="/apis/rbac.authorization.k8s.io/v1/namespaces/{namespace}/clusterrolebindings" pathPrefix="/kubernetes/{cluster}" />
+<OpenAPIPath path="/apis/rbac.authorization.k8s.io/v1/clusterrolebindings" pathPrefix="/kubernetes/{cluster}" />
 
-<OpenAPIPath path="/apis/rbac.authorization.k8s.io/v1/namespaces/{namespace}/clusterrolebindings/{name}" pathPrefix="/kubernetes/{cluster}" />
+<OpenAPIPath path="/apis/rbac.authorization.k8s.io/v1/clusterrolebindings/{name}" pathPrefix="/kubernetes/{cluster}" />

Likely an incorrect or invalid review comment.

docs/en/apis/kubernetes_apis/rbac/index.mdx (1)

1-2: Empty YAML front matter with no metadata.

The front matter contains only delimiters (---\n---) with no key-value pairs. If metadata (e.g., sidebar labels, description) is needed, populate it; otherwise, consider removing the front matter entirely for clarity.

docs/en/apis/kubernetes_apis/serviceaccount/serviceaccount.mdx (1)

1-5: Documentation structure looks good.

Consistent with standard Kubernetes API documentation pattern. ServiceAccount entries are properly namespaced with the /kubernetes/{cluster} path prefix, and no custom CRD declaration is needed.

docs/en/apis/kubernetes_apis/rbac/role.mdx (1)

1-5: Documentation structure is consistent and well-formed.

Standard Kubernetes RBAC Role endpoints are properly documented with cluster path prefix. No issues identified.

docs/en/apis/kubernetes_apis/user/user.mdx (1)

1-6: Documentation structure is consistent with custom API pattern.

User API documentation follows the established pattern for custom APIs under the auth.alauda.io group. OpenAPI paths and CRD declaration are properly configured.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Verify corresponding CRD file exists for projects.auth.alauda.io.

Line 6 references a CRD declaration for projects.auth.alauda.io, but the corresponding CRD YAML file is not included in this PR for review. Ensure docs/shared/crds/auth.alauda.io_projects.yaml exists and is properly formatted.

---

🏁 Script executed:

#!/bin/bash
# Verify the Project CRD file exists and is valid YAML
fd -e yaml docs/shared/crds | grep -i project
cat docs/shared/crds/auth.alauda.io_projects.yaml 2>/dev/null | head -20

Length of output: 369

---

🏁 Script executed:

#!/bin/bash
# Verify the Project CRD file exists using corrected fd syntax
echo "=== Searching for Project CRD files ==="
fd --full-path 'auth.alauda.io_projects.yaml' docs/shared/crds 2>/dev/null

echo "=== Checking if docs/shared/crds directory exists ==="
ls -la docs/shared/crds 2>&1 | head -30

echo "=== Listing all YAML files in CRDs directory ==="
fd . docs/shared/crds -e yaml 2>&1 | head -20

Length of output: 2568

---

The CRD file for projects.auth.alauda.io is missing.

Line 6 references <K8sCrd name="projects.auth.alauda.io" />, but the corresponding CRD YAML file docs/shared/crds/auth.alauda.io_projects.yaml does not exist in the repository. The docs/shared/crds/ directory contains 16 CRD files, including auth.alauda.io_users.yaml, but no projects CRD. Either create the missing CRD file or remove the K8sCrd reference if it is not yet implemented.

🤖 Prompt for AI Agents

In docs/en/apis/kubernetes_apis/project/project.mdx around lines 1-6, the page
references a CRD via <K8sCrd name="projects.auth.alauda.io" /> but the
corresponding YAML file docs/shared/crds/auth.alauda.io_projects.yaml is
missing; either add that CRD YAML to docs/shared/crds/ (matching naming
convention and contents of other CRDs) and commit it, or remove/replace the
<K8sCrd ... /> tag from this MDX if the CRD is not ready, ensuring the page
builds without broken references.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Broad use of x-kubernetes-preserve-unknown-fields at multiple levels.

The CRD uses x-kubernetes-preserve-unknown-fields: true at both the spec level (line 85) and root level (line 134). While this enables flexibility for third-party integrations (noted in the extra field comment), it also:

• Allows arbitrary fields that may mask schema validation issues
• Increases the risk of unintended data acceptance
• Makes schema evolution harder to track

Consider narrowing the preserve-unknown-fields scope to only the extra field if possible, or document the rationale for the broader application.

Also applies to: 134-134

[coderabbitai]

⚠️ Potential issue | 🟠 Major

⚠️ Security concern: Plain-text password fields in CRD spec.

The password and old_password fields are stored as plain strings in the User resource spec. Kubernetes resources are persisted in etcd by default, which is not the appropriate place for credential storage. Credentials should be managed via Kubernetes Secrets.

Consider:

1. Removing password fields from the spec and managing them separately via Secrets.
2. If passwords must be included, ensure etcd encryption and access controls are strictly configured.
3. Document the security implications and expected access restrictions.

[cloudflare-workers-and-pages]

Deploying alauda-container-platform with    Cloudflare Pages

Latest commit:	6594ef3
Status:	✅  Deploy successful!
Preview URL:	https://c527a7c6.alauda-container-platform.pages.dev
Branch Preview URL:	https://cherry-pick-ait-62790-to-mas.alauda-container-platform.pages.dev

View logs

[JounQin]

/doc-pr-build

[Copilot]

Pull request overview

Adds documentation pages for several Kubernetes APIs/resources (RBAC, ServiceAccount, Connector, Project, User) and includes a CRD reference for API consumers.

Changes:

• Added MDX API docs pages for RBAC (ClusterRole/ClusterRoleBinding/Role/RoleBinding) and ServiceAccount endpoints.
• Added MDX API docs pages for Connector, Project, and User resources (with CRD embeds for User/Project).
• Added a User CustomResourceDefinition YAML reference under docs/shared/crds/.

Reviewed changes

Copilot reviewed 14 out of 17 changed files in this pull request and generated 12 comments.

Show a summary per file

File	Description
docs/shared/crds/auth.alauda.io_users.yaml	Adds the User CRD reference YAML used by docs; needs minor cleanup/normalization.
docs/en/apis/kubernetes_apis/user/user.mdx	Adds User API endpoint docs + CRD embed; missing cluster path prefix.
docs/en/apis/kubernetes_apis/user/index.mdx	Adds User API section index; contains empty frontmatter block.
docs/en/apis/kubernetes_apis/serviceaccount/serviceaccount.mdx	Adds ServiceAccount endpoint docs (with cluster path prefix).
docs/en/apis/kubernetes_apis/serviceaccount/index.mdx	Adds ServiceAccount API section index; contains empty frontmatter block.
docs/en/apis/kubernetes_apis/rbac/clusterrole.mdx	Adds ClusterRole endpoint docs (with cluster path prefix).
docs/en/apis/kubernetes_apis/rbac/clusterrolebinding.mdx	Adds ClusterRoleBinding endpoint docs (with cluster path prefix).
docs/en/apis/kubernetes_apis/rbac/role.mdx	Adds Role endpoint docs (with cluster path prefix).
docs/en/apis/kubernetes_apis/rbac/rolebinding.mdx	Adds RoleBinding endpoint docs (with cluster path prefix).
docs/en/apis/kubernetes_apis/rbac/index.mdx	Adds RBAC API section index; contains empty frontmatter block.
docs/en/apis/kubernetes_apis/project/project.mdx	Adds Project endpoint docs + CRD embed; missing cluster path prefix and CRD reference appears missing.
docs/en/apis/kubernetes_apis/project/index.mdx	Adds Project API section index; contains empty frontmatter block.
docs/en/apis/kubernetes_apis/connector/connector.mdx	Adds Connector endpoint docs; missing cluster path prefix.
docs/en/apis/kubernetes_apis/connector/index.mdx	Adds Connector API section index; contains empty frontmatter block.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This file contains an empty frontmatter block (--- / ---) but no frontmatter keys. Other docs/en/apis/kubernetes_apis/*/index.mdx pages typically omit frontmatter entirely (e.g., docs/en/apis/kubernetes_apis/alert/index.mdx). Consider removing the empty block for consistency.

Suggested change

	---
	---

[Copilot]

This CRD YAML is missing the leading document separator (---) used by other CRDs under docs/shared/crds/ (e.g., docs/shared/crds/aiops.alauda.io_alerttemplates.yaml:1). Adding it improves consistency and avoids edge cases with multi-document tooling.

[Copilot]

In additionalPrinterColumns, the column named "Username" points to .spec.email, but the schema also defines .spec.username (and it’s required). Either change the jsonPath to .spec.username or rename the column to "Email" to match what’s displayed.

Suggested change

	- jsonPath: .spec.email
	- jsonPath: .spec.username

[Copilot]

This CRD manifest includes a populated status.conditions section with concrete timestamps/messages. In this repo, the CRD YAMLs under docs/shared/crds/ typically keep status empty (e.g., docs/shared/crds/ait.alauda.io_inspections.yaml:150-155), so these values will go stale and create noisy diffs. Consider stripping runtime status.* content (or normalizing it to the empty placeholder form).

Suggested change

	status:
	acceptedNames:
	kind: User
	listKind: UserList
	plural: users
	singular: user
	conditions:
	- lastTransitionTime: 2025-11-06T16:16:25Z
	message: no conflicts found
	reason: NoConflicts
	status: "True"
	type: NamesAccepted
	- lastTransitionTime: 2025-11-06T16:16:25Z
	message: the initial names have been accepted
	reason: InitialNamesAccepted
	status: "True"
	type: Established
	storedVersions:
	- v1
	status: {}

[Copilot]

These OpenAPI paths likely need the Kubernetes proxy prefix (pathPrefix="/kubernetes/{cluster}") like the other Kubernetes API docs added in this PR. Also, <K8sCrd name="projects.auth.alauda.io" /> appears to reference a CRD file that doesn’t exist in docs/shared/crds/ (expected something like docs/shared/crds/auth.alauda.io_projects.yaml). Add the missing CRD YAML (or remove/fix the reference) so the page can render correctly.

Suggested change

	<OpenAPIPath path="/apis/auth.alauda.io/v1/projects" />
	<OpenAPIPath path="/apis/auth.alauda.io/v1/projects/{name}" />
	<K8sCrd name="projects.auth.alauda.io" />
	<OpenAPIPath pathPrefix="/kubernetes/{cluster}" path="/apis/auth.alauda.io/v1/projects" />
	<OpenAPIPath pathPrefix="/kubernetes/{cluster}" path="/apis/auth.alauda.io/v1/projects/{name}" />

[Copilot]

This file contains an empty frontmatter block (--- / ---) but no frontmatter keys. Other docs/en/apis/kubernetes_apis/*/index.mdx pages typically omit frontmatter entirely (e.g., docs/en/apis/kubernetes_apis/alert/index.mdx). Consider removing the empty block for consistency.

Suggested change

	---
	---

[Copilot]

The connector_type field description still contains the kubebuilder scaffolding placeholder ("INSERT ADDITIONAL SPEC FIELDS..." / "Run "make" to regenerate..."). This reads like internal developer guidance rather than API documentation; it should be replaced with a real description (or removed).

Suggested change

	description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
	Important: Run "make" to regenerate code after modifying
	this file'
	description: ConnectorType identifies the type of identity connector
	associated with the user

[Copilot]

These OpenAPI paths are missing pathPrefix="/kubernetes/{cluster}", while other Kubernetes API docs in this PR include it (e.g., RBAC/ServiceAccount pages). Without the prefix, the rendered endpoint URLs will be inconsistent/likely incorrect for cluster-scoped routing.

Suggested change

	<OpenAPIPath path="/apis/auth.alauda.io/v1/users" />
	<OpenAPIPath path="/apis/auth.alauda.io/v1/users/{name}" />
	<OpenAPIPath pathPrefix="/kubernetes/{cluster}" path="/apis/auth.alauda.io/v1/users" />
	<OpenAPIPath pathPrefix="/kubernetes/{cluster}" path="/apis/auth.alauda.io/v1/users/{name}" />

[Copilot]

These OpenAPI paths are missing pathPrefix="/kubernetes/{cluster}", while other Kubernetes API docs in this PR include it (e.g., RBAC/ServiceAccount pages). Without the prefix, the rendered endpoint URLs will be inconsistent/likely incorrect for cluster-scoped routing.

Suggested change

	<OpenAPIPath path="/apis/dex.coreos.com/v1/namespaces/{namespace}/connectors" />
	<OpenAPIPath path="/apis/dex.coreos.com/v1/namespaces/{namespace}/connectors/{name}" />
	<OpenAPIPath pathPrefix="/kubernetes/{cluster}" path="/apis/dex.coreos.com/v1/namespaces/{namespace}/connectors" />
	<OpenAPIPath pathPrefix="/kubernetes/{cluster}" path="/apis/dex.coreos.com/v1/namespaces/{namespace}/connectors/{name}" />

[Copilot]

This file contains an empty frontmatter block (--- / ---) but no frontmatter keys. Other docs/en/apis/kubernetes_apis/*/index.mdx pages typically omit frontmatter entirely (e.g., docs/en/apis/kubernetes_apis/alert/index.mdx). Consider removing the empty block for consistency.

Suggested change

	---
	---