Include admin ClusterRole and add it to the scaffold

docs/book/src/cronjob-tutorial/testdata/project/config/rbac/cronjob_admin_role.yaml

@@ -0,0 +1,38 @@
+# This rule is not used by the project project itself.
+# It is provided to allow the cluster admin to help manage permissions for users.
+#
+# Provides full permissions (create, update, delete) over all custom resource objects 
+# for the specified API resources across the cluster. In addition to resource management, 
+# it grants users the ability to modify roles and bindings within the cluster, 
+# allowing them to delegate specific permissions to other users or groups as needed.
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: project
+    app.kubernetes.io/managed-by: kustomize
+
+    # Uncomment the following line if you want to aggregate these permissions to the default admin ClusterRole.
+    # For more information, please see:
+    # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles
+    # rbac.authorization.k8s.io/aggregate-to-admin: "true"
+  name: cronjob-admin-role
+rules:
+- apiGroups:
+  - batch.tutorial.kubebuilder.io
+  - rbac.authorization.k8s.io
+  resources:
+  - cronjobs
+  - clusterroles
+  - clusterrolebindings
+  - roles
+  - rolebindings
+  verbs:
+  - '*'
+- apiGroups:
+  - batch.tutorial.kubebuilder.io
+  resources:
+  - cronjobs/status
+  verbs:
+  - get

docs/book/src/cronjob-tutorial/testdata/project/config/rbac/cronjob_editor_role.yaml

@@ -1,10 +1,22 @@
-# permissions for end users to edit cronjobs.
+# This rule is not used by the project project itself.
+# It is provided to allow the cluster admin to help manage permissions for users.
+#
+# Allows users to modify all custom resources for project on the cluster.
+# This role enables users to create, update, and delete resources,
+# making it suitable for team members who need to manage resources 
+# but should not control RBAC or manage permissions for others.
+
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/name: project
     app.kubernetes.io/managed-by: kustomize
+
+    # Uncomment the following line if you want to aggregate these permissions to the default edit ClusterRole.
+    # For more information, please see:
+    # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles
+    # rbac.authorization.k8s.io/aggregate-to-edit: "true"
   name: cronjob-editor-role
 rules:
 - apiGroups:

docs/book/src/cronjob-tutorial/testdata/project/config/rbac/cronjob_viewer_role.yaml

@@ -1,10 +1,21 @@
-# permissions for end users to view cronjobs.
+# This rule is not used by the project project itself.
+# It is provided to allow the cluster admin to help manage permissions for users.
+#
+# Grants read-only access to CronJob resources. 
+# This role is intended for users who need visibility into the resources 
+# without any permissions to modify them. It’s ideal for monitoring purposes and limited-access viewing.
+
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/name: project
     app.kubernetes.io/managed-by: kustomize
+
+    # Uncomment the following line if you want to aggregate these permissions to the default view ClusterRole.
+    # For more information, please see:
+    # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles
+    # rbac.authorization.k8s.io/aggregate-to-view: "true"
   name: cronjob-viewer-role
 rules:
 - apiGroups:

docs/book/src/cronjob-tutorial/testdata/project/config/rbac/kustomization.yaml

@@ -18,10 +18,11 @@ resources:
 - metrics_auth_role.yaml
 - metrics_auth_role_binding.yaml
 - metrics_reader_role.yaml
-# For each CRD, "Editor" and "Viewer" roles are scaffolded by
+# For each CRD, "Admin", "Editor" and "Viewer" roles are scaffolded by
 # default, aiding admins in cluster management. Those roles are
 # not used by the Project itself. You can comment the following lines
 # if you do not want those helpers be installed with your Project.
+- cronjob_admin_role.yaml
 - cronjob_editor_role.yaml
 - cronjob_viewer_role.yaml
 

docs/book/src/cronjob-tutorial/testdata/project/dist/install.yaml

@@ -3865,6 +3865,32 @@ rules:
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/name: project
+  name: project-cronjob-admin-role
+rules:
+- apiGroups:
+  - batch.tutorial.kubebuilder.io
+  - rbac.authorization.k8s.io
+  resources:
+  - cronjobs
+  - clusterroles
+  - clusterrolebindings
+  - roles
+  - rolebindings
+  verbs:
+  - '*'
+- apiGroups:
+  - batch.tutorial.kubebuilder.io
+  resources:
+  - cronjobs/status
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/managed-by: kustomize

docs/book/src/getting-started/testdata/project/config/rbac/kustomization.yaml

@@ -18,10 +18,11 @@ resources:
 - metrics_auth_role.yaml
 - metrics_auth_role_binding.yaml
 - metrics_reader_role.yaml
-# For each CRD, "Editor" and "Viewer" roles are scaffolded by
+# For each CRD, "Admin", "Editor" and "Viewer" roles are scaffolded by
 # default, aiding admins in cluster management. Those roles are
 # not used by the Project itself. You can comment the following lines
 # if you do not want those helpers be installed with your Project.
+- memcached_admin_role.yaml
 - memcached_editor_role.yaml
 - memcached_viewer_role.yaml
 

docs/book/src/getting-started/testdata/project/config/rbac/memcached_admin_role.yaml

@@ -0,0 +1,38 @@
+# This rule is not used by the project project itself.
+# It is provided to allow the cluster admin to help manage permissions for users.
+#
+# Provides full permissions (create, update, delete) over all custom resource objects 
+# for the specified API resources across the cluster. In addition to resource management, 
+# it grants users the ability to modify roles and bindings within the cluster, 
+# allowing them to delegate specific permissions to other users or groups as needed.
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: project
+    app.kubernetes.io/managed-by: kustomize
+
+    # Uncomment the following line if you want to aggregate these permissions to the default admin ClusterRole.
+    # For more information, please see:
+    # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles
+    # rbac.authorization.k8s.io/aggregate-to-admin: "true"
+  name: memcached-admin-role
+rules:
+- apiGroups:
+  - cache.example.com
+  - rbac.authorization.k8s.io
+  resources:
+  - memcacheds
+  - clusterroles
+  - clusterrolebindings
+  - roles
+  - rolebindings
+  verbs:
+  - '*'
+- apiGroups:
+  - cache.example.com
+  resources:
+  - memcacheds/status
+  verbs:
+  - get

docs/book/src/getting-started/testdata/project/config/rbac/memcached_editor_role.yaml

@@ -1,10 +1,22 @@
-# permissions for end users to edit memcacheds.
+# This rule is not used by the project project itself.
+# It is provided to allow the cluster admin to help manage permissions for users.
+#
+# Allows users to modify all custom resources for project on the cluster.
+# This role enables users to create, update, and delete resources,
+# making it suitable for team members who need to manage resources 
+# but should not control RBAC or manage permissions for others.
+
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/name: project
     app.kubernetes.io/managed-by: kustomize
+
+    # Uncomment the following line if you want to aggregate these permissions to the default edit ClusterRole.
+    # For more information, please see:
+    # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles
+    # rbac.authorization.k8s.io/aggregate-to-edit: "true"
   name: memcached-editor-role
 rules:
 - apiGroups:

docs/book/src/getting-started/testdata/project/config/rbac/memcached_viewer_role.yaml

@@ -1,10 +1,21 @@
-# permissions for end users to view memcacheds.
+# This rule is not used by the project project itself.
+# It is provided to allow the cluster admin to help manage permissions for users.
+#
+# Grants read-only access to Memcached resources. 
+# This role is intended for users who need visibility into the resources 
+# without any permissions to modify them. It’s ideal for monitoring purposes and limited-access viewing.
+
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/name: project
     app.kubernetes.io/managed-by: kustomize
+
+    # Uncomment the following line if you want to aggregate these permissions to the default view ClusterRole.
+    # For more information, please see:
+    # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles
+    # rbac.authorization.k8s.io/aggregate-to-view: "true"
   name: memcached-viewer-role
 rules:
 - apiGroups:

docs/book/src/getting-started/testdata/project/dist/install.yaml

@@ -234,6 +234,32 @@ rules:
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/name: project
+  name: project-memcached-admin-role
+rules:
+- apiGroups:
+  - cache.example.com
+  - rbac.authorization.k8s.io
+  resources:
+  - memcacheds
+  - clusterroles
+  - clusterrolebindings
+  - roles
+  - rolebindings
+  verbs:
+  - '*'
+- apiGroups:
+  - cache.example.com
+  resources:
+  - memcacheds/status
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/managed-by: kustomize

docs/book/src/multiversion-tutorial/testdata/project/config/rbac/cronjob_admin_role.yaml

@@ -0,0 +1,38 @@
+# This rule is not used by the project project itself.
+# It is provided to allow the cluster admin to help manage permissions for users.
+#
+# Provides full permissions (create, update, delete) over all custom resource objects 
+# for the specified API resources across the cluster. In addition to resource management, 
+# it grants users the ability to modify roles and bindings within the cluster, 
+# allowing them to delegate specific permissions to other users or groups as needed.
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: project
+    app.kubernetes.io/managed-by: kustomize
+
+    # Uncomment the following line if you want to aggregate these permissions to the default admin ClusterRole.
+    # For more information, please see:
+    # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles
+    # rbac.authorization.k8s.io/aggregate-to-admin: "true"
+  name: cronjob-admin-role
+rules:
+- apiGroups:
+  - batch.tutorial.kubebuilder.io
+  - rbac.authorization.k8s.io
+  resources:
+  - cronjobs
+  - clusterroles
+  - clusterrolebindings
+  - roles
+  - rolebindings
+  verbs:
+  - '*'
+- apiGroups:
+  - batch.tutorial.kubebuilder.io
+  resources:
+  - cronjobs/status
+  verbs:
+  - get

docs/book/src/multiversion-tutorial/testdata/project/config/rbac/cronjob_editor_role.yaml

@@ -1,10 +1,22 @@
-# permissions for end users to edit cronjobs.
+# This rule is not used by the project project itself.
+# It is provided to allow the cluster admin to help manage permissions for users.
+#
+# Allows users to modify all custom resources for project on the cluster.
+# This role enables users to create, update, and delete resources,
+# making it suitable for team members who need to manage resources 
+# but should not control RBAC or manage permissions for others.
+
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/name: project
     app.kubernetes.io/managed-by: kustomize
+
+    # Uncomment the following line if you want to aggregate these permissions to the default edit ClusterRole.
+    # For more information, please see:
+    # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles
+    # rbac.authorization.k8s.io/aggregate-to-edit: "true"
   name: cronjob-editor-role
 rules:
 - apiGroups:

docs/book/src/multiversion-tutorial/testdata/project/config/rbac/cronjob_viewer_role.yaml

@@ -1,10 +1,21 @@
-# permissions for end users to view cronjobs.
+# This rule is not used by the project project itself.
+# It is provided to allow the cluster admin to help manage permissions for users.
+#
+# Grants read-only access to CronJob resources. 
+# This role is intended for users who need visibility into the resources 
+# without any permissions to modify them. It’s ideal for monitoring purposes and limited-access viewing.
+
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/name: project
     app.kubernetes.io/managed-by: kustomize
+
+    # Uncomment the following line if you want to aggregate these permissions to the default view ClusterRole.
+    # For more information, please see:
+    # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles
+    # rbac.authorization.k8s.io/aggregate-to-view: "true"
   name: cronjob-viewer-role
 rules:
 - apiGroups:

docs/book/src/multiversion-tutorial/testdata/project/config/rbac/kustomization.yaml

@@ -18,10 +18,11 @@ resources:
 - metrics_auth_role.yaml
 - metrics_auth_role_binding.yaml
 - metrics_reader_role.yaml
-# For each CRD, "Editor" and "Viewer" roles are scaffolded by
+# For each CRD, "Admin", "Editor" and "Viewer" roles are scaffolded by
 # default, aiding admins in cluster management. Those roles are
 # not used by the Project itself. You can comment the following lines
 # if you do not want those helpers be installed with your Project.
+- cronjob_admin_role.yaml
 - cronjob_editor_role.yaml
 - cronjob_viewer_role.yaml
 

docs/book/src/multiversion-tutorial/testdata/project/dist/install.yaml

@@ -7676,6 +7676,32 @@ rules:
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/name: project
+  name: project-cronjob-admin-role
+rules:
+- apiGroups:
+  - batch.tutorial.kubebuilder.io
+  - rbac.authorization.k8s.io
+  resources:
+  - cronjobs
+  - clusterroles
+  - clusterrolebindings
+  - roles
+  - rolebindings
+  verbs:
+  - '*'
+- apiGroups:
+  - batch.tutorial.kubebuilder.io
+  resources:
+  - cronjobs/status
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
 metadata:
   labels:
     app.kubernetes.io/managed-by: kustomize