feat: add IAMRoleSelector CRD/feature

Implements aws-controllers-k8s/community#2628 (mostly)

Introduces a new IAMRoleSelector CRD that enables dynamic IAM role
assignment based on namespace and resource type selectors. This feature
provides an alternative to CARM for role selection and cannot be used
simultaneously with CARM (enforced by validation).

Key components:
- New IAMRoleSelector CRD with namespace and resource type selectors
- Selector matching logic with AND between selector types, OR within arrays
- Dynamic informer-based cache for IAMRoleSelector resources
- Integration into the reconciler to override CARM role selection
- Alpha feature gate (IAMRoleSelector) defaulting to disabled

Note: ResourceTypeSelector uses schema.GroupVersionKind in the API,
which differs from the separate fields approach in the original types.
This may need adjustment based on CRD generation requirements.

Author: a-hilaly

apis/core/v1alpha1/iam_role_selector.go

@@ -0,0 +1,59 @@
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License"). You may
+// not use this file except in compliance with the License. A copy of the
+// License is located at
+//
+//     http://aws.amazon.com/apache2.0/
+//
+// or in the "license" file accompanying this file. This file is distributed
+// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+// express or implied. See the License for the specific language governing
+// permissions and limitations under the License.
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// LabelSelector is a label query over a set of resources.
+type LabelSelector struct {
+	MatchLabels map[string]string `json:"matchLabels"`
+}
+
+// IAMRoleSelectorSpec defines the desired state of IAMRoleSelector
+type NamespaceSelector struct {
+	Names         []string      `json:"name"`
+	LabelSelector LabelSelector `json:"labelSelector,omitempty"`
+}
+
+type IAMRoleSelectorSpec struct {
+	ARN                  string                    `json:"arn"`
+	NamespaceSelector    NamespaceSelector         `json:"namespaceSelector,omitempty"`
+	ResourceTypeSelector []schema.GroupVersionKind `json:"resourceTypeSelector,omitempty"`
+}
+
+type IAMRoleSelectorStatus struct{}
+
+// IAMRoleSelector is the schema for the IAMRoleSelector API.
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+type IAMRoleSelector struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+	Spec              IAMRoleSelectorSpec   `json:"spec,omitempty"`
+	Status            IAMRoleSelectorStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+type IAMRoleSelectorList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []IAMRoleSelector `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&IAMRoleSelector{}, &IAMRoleSelectorList{})
+}

apis/core/v1alpha1/zz_generated.deepcopy.go

@@ -0,0 +1,79 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.16.2
+  name: iamroleselectors.services.k8s.aws
+spec:
+  group: services.k8s.aws
+  names:
+    kind: IAMRoleSelector
+    listKind: IAMRoleSelectorList
+    plural: iamroleselectors
+    singular: iamroleselector
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: IAMRoleSelector is the schema for the IAMRoleSelector API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              arn:
+                type: string
+              namespaceSelector:
+                description: IAMRoleSelectorSpec defines the desired state of IAMRoleSelector
+                properties:
+                  labelSelector:
+                    description: LabelSelector is a label query over a set of resources.
+                    properties:
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        type: object
+                    required:
+                    - matchLabels
+                    type: object
+                  name:
+                    items:
+                      type: string
+                    type: array
+                required:
+                - name
+                type: object
+              resourceTypeSelector:
+                items:
+                  description: |-
+                    GroupVersionKind unambiguously identifies a kind.  It doesn't anonymously include GroupVersion
+                    to avoid automatic coercion.  It doesn't use a GroupVersion to avoid custom marshalling
+                  type: object
+                type: array
+            required:
+            - arn
+            type: object
+          status:
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

config/crd/bases/services.k8s.aws_iamroleselectors.yaml

@@ -3,5 +3,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+  - bases/services.k8s.aws_iamroleselectors.yaml
   - bases/services.k8s.aws_adoptedresources.yaml
   - bases/services.k8s.aws_fieldexports.yaml

config/crd/kustomization.yaml

@@ -380,6 +380,11 @@ func (cfg *Config) Validate(ctx context.Context, options ...Option) error {
 		return fmt.Errorf("error overriding feature gates: %v", err)
 	}
 
+	// IAMRolerSelector cannotbe used with enable-carm=true
+	if cfg.FeatureGates.IsEnabled(featuregate.IAMRoleSelector) && cfg.EnableCARM {
+		return fmt.Errorf("cannot enable feature gate '%s' when flag '%s' is set to true", featuregate.IAMRoleSelector, flagEnableCARM)
+	}
+
 	return nil
 }
 

pkg/config/config.go

@@ -31,6 +31,9 @@ const (
 
 	// ServiceLevelCARM is a feature gate for enabling CARM for service-level resources.
 	ServiceLevelCARM = "ServiceLevelCARM"
+
+	// IAMRoleSelector is a feature gate for enabling the IAMRoleSelector feature and reconciler.
+	IAMRoleSelector = "IAMRoleSelector"
 )
 
 // defaultACKFeatureGates is a map of feature names to Feature structs
@@ -40,6 +43,7 @@ var defaultACKFeatureGates = FeatureGates{
 	ReadOnlyResources: {Stage: Beta, Enabled: true},
 	TeamLevelCARM:     {Stage: Alpha, Enabled: false},
 	ServiceLevelCARM:  {Stage: Alpha, Enabled: false},
+	IAMRoleSelector:   {Stage: Alpha, Enabled: false},
 }
 
 // FeatureStage represents the development stage of a feature.

pkg/featuregate/features.go

@@ -466,7 +466,7 @@ func (r *adoptionReconciler) getOwnerAccountID(
 ) (ackv1alpha1.AWSAccountID, bool) {
 	// look for owner account id in the namespace annotations
 	namespace := res.GetNamespace()
-	accID, ok := r.cache.Namespaces.GetOwnerAccountID(namespace)
+	accID, ok := r.carmCache.Namespaces.GetOwnerAccountID(namespace)
 	if ok {
 		return ackv1alpha1.AWSAccountID(accID), true
 	}
@@ -481,7 +481,7 @@ func (r *adoptionReconciler) getTeamID(
 ) ackv1alpha1.TeamID {
 	// look for team id in the namespace annotations
 	namespace := res.GetNamespace()
-	teamID, ok := r.cache.Namespaces.GetTeamID(namespace)
+	teamID, ok := r.carmCache.Namespaces.GetTeamID(namespace)
 	if ok {
 		return ackv1alpha1.TeamID(teamID)
 	}
@@ -497,7 +497,7 @@ func (r *adoptionReconciler) getEndpointURL(
 ) string {
 	// look for endpoint url in the namespace annotations
 	namespace := res.GetNamespace()
-	endpointURL, ok := r.cache.Namespaces.GetEndpointURL(namespace)
+	endpointURL, ok := r.carmCache.Namespaces.GetEndpointURL(namespace)
 	if ok {
 		return endpointURL
 	}
@@ -512,9 +512,9 @@ func (r *adoptionReconciler) getRoleARN(id string, cacheName string) (ackv1alpha
 	var cache *ackrtcache.CARMMap
 	switch cacheName {
 	case ackrtcache.ACKRoleTeamMap:
-		cache = r.cache.Teams
+		cache = r.carmCache.Teams
 	case ackrtcache.ACKRoleAccountMap:
-		cache = r.cache.Accounts
+		cache = r.carmCache.Accounts
 	default:
 		return "", fmt.Errorf("invalid cache name: %s", cacheName)
 	}
@@ -552,7 +552,7 @@ func (r *adoptionReconciler) getRegion(
 
 	// look for default region in namespace metadata annotations
 	ns := res.GetNamespace()
-	defaultRegion, ok := r.cache.Namespaces.GetDefaultRegion(ns)
+	defaultRegion, ok := r.carmCache.Namespaces.GetDefaultRegion(ns)
 	if ok {
 		return ackv1alpha1.AWSRegion(defaultRegion)
 	}
@@ -623,7 +623,7 @@ func NewAdoptionReconcilerWithClient(
 			log:       log.WithName("adopted-reconciler"),
 			cfg:       cfg,
 			metrics:   metrics,
-			cache:     cache,
+			carmCache: cache,
 			kc:        kc,
 			apiReader: apiReader,
 		},