Skip to content

feat: add Milo IAM ProtectedResources and Roles#12

Merged
mattdjenkinson merged 1 commit into
mainfrom
feat/add-iam-protected-resources
May 5, 2026
Merged

feat: add Milo IAM ProtectedResources and Roles#12
mattdjenkinson merged 1 commit into
mainfrom
feat/add-iam-protected-resources

Conversation

@mattdjenkinson

Copy link
Copy Markdown
Collaborator

Summary

  • Adds config/components/iam/ with Milo IAM ProtectedResources for Vendor and Subprocessor and Roles compliance.miloapis.com-admin / compliance.miloapis.com-viewer, mirroring the fraud and telemetry service patterns.
  • Without these the Milo authorizer denies every request against compliance.miloapis.com/v1alpha1 because the API group is unknown to it. The infra-side change to load this component is in a companion datum-cloud/infra PR.
  • Granting the staff group (or any org-scoped subject) access still requires a separate PolicyBinding to one of the new Roles.

Test plan

  • kustomize build config/components/iam produces the four expected resources.
  • After the corresponding infra PR rolls out, kubectl get protectedresources.iam.miloapis.com compliance.miloapis.com-vendor compliance.miloapis.com-subprocessor resolve in milo-system.
  • kubectl get roles.iam.miloapis.com compliance.miloapis.com-admin compliance.miloapis.com-viewer resolve in milo-system.
  • After applying a PolicyBinding granting compliance.miloapis.com-admin to the staff group, the staff portal can list/create vendors against the staging Milo API.

Add an `iam` component that registers Vendor and Subprocessor with the
Milo IAM authorizer and ships compliance-admin / compliance-viewer
Roles, matching the fraud and telemetry service patterns.

Without these resources every request against
`compliance.miloapis.com/v1alpha1` is denied because the API group is
unknown to the authorizer; deploying just the controller and CRDs is
not enough for staff or organization users to interact with the
service.

Key changes:
- config/components/iam/protected-resources/{vendor,subprocessor}.yaml
  declare each kind with its plural/singular and the standard
  list/get/create/update/delete/patch/watch permission set.
- config/components/iam/roles/compliance-viewer.yaml grants list, get,
  and watch on vendors and subprocessors.
- config/components/iam/roles/compliance-admin.yaml inherits the viewer
  role and adds create, update, delete, and patch.
- config/components/iam/kustomization.yaml exposes the resources as a
  kustomize Component so consumers can include them alongside `base`.

Granting access to the staff group (or any org-scoped role) is still
applied separately through a PolicyBinding referencing
compliance.miloapis.com-admin or -viewer.
@mattdjenkinson mattdjenkinson merged commit be0911c into main May 5, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants