feat: add MachineAccount support to PolicyBinding subjects with mandatory namespace validation (#552)

JoseSzycho · web-flow · commit f4a6dd1ee208 · 2026-04-02T12:07:46.000-03:00
Related to: - datum-cloud/enhancements#129
diff --git a/config/crd/bases/iam/iam.miloapis.com_policybindings.yaml b/config/crd/bases/iam/iam.miloapis.com_policybindings.yaml
@@ -140,14 +140,15 @@ spec:
                 items:
                   description: |-
                     Subject contains a reference to the object or user identities a role binding applies to.
-                    This can be a User or Group.
+                    This can be a User, Group, or MachineAccount.
                   properties:
                     kind:
                       description: Kind of object being referenced. Values defined
                         in Kind constants.
                       enum:
                       - User
                       - Group
+                      - MachineAccount
                       type: string
                     name:
                       description: |-
@@ -157,8 +158,8 @@ spec:
                       type: string
                     namespace:
                       description: |-
-                        Namespace of the referenced object. If DNE, then for an SA it refers to the PolicyBinding resource's namespace.
-                        For a User or Group, it is ignored.
+                        Namespace of the referenced object.
+                        If not specified for a Group, User or MachineAccount, it is ignored.
                       type: string
                     uid:
                       description: UID of the referenced object. Optional for system
diff --git a/docs/api/iam.md b/docs/api/iam.md
@@ -1840,7 +1840,7 @@ This can be a reference to a Role custom resource.
 
 
 Subject contains a reference to the object or user identities a role binding applies to.
-This can be a User or Group.
+This can be a User, Group, or MachineAccount.
 
 <table>
     <thead>
@@ -1857,7 +1857,7 @@ This can be a User or Group.
         <td>
           Kind of object being referenced. Values defined in Kind constants.<br/>
           <br/>
-            <i>Enum</i>: User, Group<br/>
+            <i>Enum</i>: User, Group, MachineAccount<br/>
         </td>
         <td>true</td>
       </tr><tr>
@@ -1873,8 +1873,8 @@ users.<br/>
         <td><b>namespace</b></td>
         <td>string</td>
         <td>
-          Namespace of the referenced object. If DNE, then for an SA it refers to the PolicyBinding resource's namespace.
-For a User or Group, it is ignored.<br/>
+          Namespace of the referenced object.
+If not specified for a Group, User or MachineAccount, it is ignored.<br/>
         </td>
         <td>false</td>
       </tr><tr>
diff --git a/pkg/apis/iam/v1alpha1/policybinding_types.go b/pkg/apis/iam/v1alpha1/policybinding_types.go
@@ -16,21 +16,21 @@ type RoleReference struct {
 }
 
 // Subject contains a reference to the object or user identities a role binding applies to.
-// This can be a User or Group.
+// This can be a User, Group, or MachineAccount.
 // +k8s:deepcopy-gen=true
 // +kubebuilder:validation:XValidation:rule="(self.kind == 'Group' && has(self.name) && self.name.startsWith('system:')) || (has(self.uid) && size(self.uid) > 0)",message="UID is required for all subjects except system groups (groups with names starting with 'system:')"
 type Subject struct {
 	// Kind of object being referenced. Values defined in Kind constants.
 	// +kubebuilder:validation:Required
-	// +kubebuilder:validation:Enum=User;Group
+	// +kubebuilder:validation:Enum=User;Group;MachineAccount
 	Kind string `json:"kind"`
 	// Name of the object being referenced. A special group name of
 	// "system:authenticated-users" can be used to refer to all authenticated
 	// users.
 	// +kubebuilder:validation:Required
 	Name string `json:"name"`
-	// Namespace of the referenced object. If DNE, then for an SA it refers to the PolicyBinding resource's namespace.
-	// For a User or Group, it is ignored.
+	// Namespace of the referenced object.
+	// If not specified for a Group, User or MachineAccount, it is ignored.
 	// +kubebuilder:validation:Optional
 	Namespace string `json:"namespace,omitempty"`
 	// UID of the referenced object. Optional for system groups (groups with names starting with "system:").
