Add Users to Admins and Readers (#1197)

* Add Users to Admins and Readers

* Fix tests

* fix generated files

* revert RequireAdGroups validation test

* Bump version

* Revert validation of AdGroups test

* Revert validation of AdGroups test

charts/radix-operator/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: radix-operator
-version: 1.39.2
-appVersion: 1.59.3
+version: 1.40.0
+appVersion: 1.60.0
 kubeVersion: ">=1.24.0"
 description: Radix Operator
 keywords:

pkg/apis/alert/alert_test.go

@@ -248,14 +248,15 @@ func (s *alertTestSuite) Test_OnSync_Rbac_UpdateWithOwnerReference() {
 
 func (s *alertTestSuite) Test_OnSync_Rbac_ConfiguredCorrectly() {
 	namespace, appName := "any-ns", "any-app"
-	adminGroups, readerGroups := []string{"admin1", "admin2"}, []string{"reader1", "reader2"}
+	adminGroups, adminUsers := []string{"admin1", "admin2"}, []string{"adminUser1", "adminUser2"}
+	readerGroups, readerUsers := []string{"reader1", "reader2"}, []string{"readerUser1", "readerUser2"}
 	alertName, alertUID := "alert", types.UID("alertuid")
 	radixalert := &radixv1.RadixAlert{
 		ObjectMeta: metav1.ObjectMeta{Name: alertName, UID: alertUID, Labels: map[string]string{kube.RadixAppLabel: appName}},
 		Spec:       radixv1.RadixAlertSpec{},
 	}
 	radixalert, _ = s.radixClient.RadixV1().RadixAlerts(namespace).Create(context.Background(), radixalert, metav1.CreateOptions{})
-	rr := &radixv1.RadixRegistration{ObjectMeta: metav1.ObjectMeta{Name: appName}, Spec: radixv1.RadixRegistrationSpec{AdGroups: adminGroups, ReaderAdGroups: readerGroups}}
+	rr := &radixv1.RadixRegistration{ObjectMeta: metav1.ObjectMeta{Name: appName}, Spec: radixv1.RadixRegistrationSpec{AdGroups: adminGroups, AdUsers: adminUsers, ReaderAdGroups: readerGroups, ReaderAdUsers: readerUsers}}
 	_, err := s.radixClient.RadixV1().RadixRegistrations().Create(context.Background(), rr, metav1.CreateOptions{})
 	s.Require().NoError(err)
 
@@ -272,7 +273,14 @@ func (s *alertTestSuite) Test_OnSync_Rbac_ConfiguredCorrectly() {
 	actualAdminRoleBinding, _ := s.kubeClient.RbacV1().RoleBindings(namespace).Get(context.Background(), getAlertConfigSecretAdminRoleName(alertName), metav1.GetOptions{})
 	s.Equal(actualAdminRole.Name, actualAdminRoleBinding.RoleRef.Name, "rolebinding role reference not as expected")
 	s.Equal("Role", actualAdminRoleBinding.RoleRef.Kind, "rolebinding role kind not as expected")
-	s.ElementsMatch([]rbacv1.Subject{{APIGroup: "rbac.authorization.k8s.io", Kind: rbacv1.GroupKind, Name: "admin1"}, {APIGroup: "rbac.authorization.k8s.io", Kind: rbacv1.GroupKind, Name: "admin2"}}, actualAdminRoleBinding.Subjects)
+	s.ElementsMatch(
+		[]rbacv1.Subject{
+			{APIGroup: "rbac.authorization.k8s.io", Kind: rbacv1.GroupKind, Name: "admin1"},
+			{APIGroup: "rbac.authorization.k8s.io", Kind: rbacv1.GroupKind, Name: "admin2"},
+			{APIGroup: "rbac.authorization.k8s.io", Kind: rbacv1.UserKind, Name: "adminUser1"},
+			{APIGroup: "rbac.authorization.k8s.io", Kind: rbacv1.UserKind, Name: "adminUser2"},
+		},
+		actualAdminRoleBinding.Subjects)
 
 	actualReaderRole, _ := s.kubeClient.RbacV1().Roles(namespace).Get(context.Background(), getAlertConfigSecretReaderRoleName(alertName), metav1.GetOptions{})
 	s.Len(actualReaderRole.Rules, 1, "role rules not as expected")
@@ -283,7 +291,14 @@ func (s *alertTestSuite) Test_OnSync_Rbac_ConfiguredCorrectly() {
 	actualReaderRoleBinding, _ := s.kubeClient.RbacV1().RoleBindings(namespace).Get(context.Background(), getAlertConfigSecretReaderRoleName(alertName), metav1.GetOptions{})
 	s.Equal(actualReaderRole.Name, actualReaderRoleBinding.RoleRef.Name, "rolebinding role reference not as expected")
 	s.Equal("Role", actualReaderRoleBinding.RoleRef.Kind, "rolebinding role kind not as expected")
-	s.ElementsMatch([]rbacv1.Subject{{APIGroup: "rbac.authorization.k8s.io", Kind: rbacv1.GroupKind, Name: "reader1"}, {APIGroup: "rbac.authorization.k8s.io", Kind: rbacv1.GroupKind, Name: "reader2"}}, actualReaderRoleBinding.Subjects)
+	s.ElementsMatch(
+		[]rbacv1.Subject{
+			{APIGroup: "rbac.authorization.k8s.io", Kind: rbacv1.GroupKind, Name: "reader1"},
+			{APIGroup: "rbac.authorization.k8s.io", Kind: rbacv1.GroupKind, Name: "reader2"},
+			{APIGroup: "rbac.authorization.k8s.io", Kind: rbacv1.UserKind, Name: "readerUser1"},
+			{APIGroup: "rbac.authorization.k8s.io", Kind: rbacv1.UserKind, Name: "readerUser2"},
+		},
+		actualReaderRoleBinding.Subjects)
 }
 
 func (s *alertTestSuite) Test_OnSync_Secret_RemoveOrphanedKeys() {

pkg/apis/alert/rbac.go

@@ -81,12 +81,10 @@ func (syncer *alertSyncer) grantAdminAccessToAlertConfigSecret(ctx context.Conte
 	}
 
 	// create rolebinding
-	adGroups, err := utils.GetAdGroups(rr)
+	subjects, err := utils.GetAppAdminRbacSubjects(rr)
 	if err != nil {
 		return err
 	}
-
-	subjects := kube.GetRoleBindingGroups(adGroups)
 	rolebinding := kube.GetRolebindingToRoleWithLabelsForSubjects(roleName, subjects, role.Labels)
 	rolebinding.OwnerReferences = syncer.getOwnerReference()
 	return syncer.kubeUtil.ApplyRoleBinding(ctx, namespace, rolebinding)
@@ -105,7 +103,7 @@ func (syncer *alertSyncer) grantReaderAccessToAlertConfigSecret(ctx context.Cont
 		return err
 	}
 
-	subjects := kube.GetRoleBindingGroups(rr.Spec.ReaderAdGroups)
+	subjects := utils.GetAppReaderRbacSubjects(rr)
 	rolebinding := kube.GetRolebindingToRoleWithLabelsForSubjects(roleName, subjects, role.Labels)
 	rolebinding.OwnerReferences = syncer.getOwnerReference()
 	return syncer.kubeUtil.ApplyRoleBinding(ctx, namespace, rolebinding)

pkg/apis/application/application_test.go

@@ -78,17 +78,17 @@ func TestOnSync_CorrectRoleBindings_AppNamespace(t *testing.T) {
 	appName := "any-app"
 	rr, err := applyRegistrationWithSync(tu, client, kubeUtil, radixClient, utils.ARadixRegistration().
 		WithName(appName))
-	assert.NoError(t, err)
+	require.NoError(t, err)
 
 	roleBindings, _ := client.RbacV1().RoleBindings(utils.GetAppNamespace(appName)).List(context.Background(), metav1.ListOptions{})
 	assert.ElementsMatch(t,
 		[]string{defaults.RadixTektonAppRoleName, defaults.PipelineAppRoleName, defaults.AppAdminRoleName, defaults.AppReaderRoleName, "git-ssh-keys"},
 		getRoleBindingNames(roleBindings),
 	)
 
+	require.Len(t, getRoleBindingByName(defaults.AppAdminRoleName, roleBindings).Subjects, 1)
 	assert.Equal(t, getRoleBindingByName(defaults.PipelineAppRoleName, roleBindings).Subjects[0].Name, defaults.PipelineServiceAccountName)
 	assert.Equal(t, getRoleBindingByName(defaults.AppAdminRoleName, roleBindings).Subjects[0].Name, rr.Spec.AdGroups[0])
-	assert.Len(t, getRoleBindingByName(defaults.AppAdminRoleName, roleBindings).Subjects, 1)
 	assert.Equal(t, getRoleBindingByName(defaults.RadixTektonAppRoleName, roleBindings).Subjects[0].Name, defaults.RadixTektonServiceAccountName)
 	assert.Equal(t, getRoleBindingByName(defaults.AppReaderRoleName, roleBindings).Subjects[0].Name, rr.Spec.ReaderAdGroups[0])
 	assert.Equal(t, getRoleBindingByName("git-ssh-keys", roleBindings).Subjects[0].Name, rr.Spec.AdGroups[0])
@@ -205,10 +205,7 @@ func TestOnSync_NoUserGroupDefined_DefaultUserGroupSet(t *testing.T) {
 	os.Setenv(defaults.OperatorDefaultUserGroupEnvironmentVariable, defaultRole)
 
 	// Test
-	_, err := applyRegistrationWithSync(tu, client, kubeUtil, radixClient, utils.ARadixRegistration().
-		WithName("any-app").
-		WithAdGroups([]string{}).
-		WithReaderAdGroups([]string{}))
+	_, err := applyRegistrationWithSync(tu, client, kubeUtil, radixClient, utils.ARadixRegistration().WithName("any-app").WithAdGroups([]string{}).WithReaderAdGroups([]string{}))
 	require.NoError(t, err)
 
 	rolebindings, _ := client.RbacV1().RoleBindings("any-app-app").List(context.Background(), metav1.ListOptions{})

pkg/apis/application/rolebinding.go

@@ -19,15 +19,13 @@ func (app *Application) applyRbacAppNamespace(ctx context.Context) error {
 	registration := app.registration
 
 	appNamespace := utils.GetAppNamespace(registration.Name)
-	adGroups, err := utils.GetAdGroups(registration)
+	subjects, err := utils.GetAppAdminRbacSubjects(registration)
 	if err != nil {
 		return err
 	}
-	subjects := kube.GetRoleBindingGroups(adGroups)
 	adminRoleBinding := kube.GetRolebindingToClusterRoleForSubjects(registration.Name, defaults.AppAdminRoleName, subjects)
 
-	readerAdGroups := registration.Spec.ReaderAdGroups
-	readerSubjects := kube.GetRoleBindingGroups(readerAdGroups)
+	readerSubjects := utils.GetAppReaderRbacSubjects(registration)
 	readerRoleBinding := kube.GetRolebindingToClusterRoleForSubjects(registration.Name, defaults.AppReaderRoleName, readerSubjects)
 
 	for _, roleBinding := range []*rbacv1.RoleBinding{adminRoleBinding, readerRoleBinding} {
@@ -56,7 +54,7 @@ func (app *Application) applyRbacRadixRegistration(ctx context.Context) error {
 	// Reader RBAC
 	clusterRoleReaderName := fmt.Sprintf("radix-platform-user-rr-reader-%s", appName)
 	readerClusterRole := app.buildRRClusterRole(ctx, clusterRoleReaderName, []string{"get", "list", "watch"})
-	appReaderSubjects := kube.GetRoleBindingGroups(rr.Spec.ReaderAdGroups)
+	appReaderSubjects := utils.GetAppReaderRbacSubjects(rr)
 	readerClusterRoleBinding := app.rrClusterRoleBinding(ctx, readerClusterRole, appReaderSubjects)
 
 	// Apply roles and bindings

pkg/apis/applicationconfig/applicationconfig_test.go

@@ -3,6 +3,7 @@ package applicationconfig_test
 import (
 	"context"
 	"fmt"
+	"slices"
 	"testing"
 
 	"github.com/equinor/radix-common/utils/pointers"
@@ -409,10 +410,16 @@ func Test_AppReaderBuildSecretsRoleAndRoleBindingExists(t *testing.T) {
 func Test_AppReaderPrivateImageHubRoleAndRoleBindingExists(t *testing.T) {
 	tu, client, kubeUtil, radixClient := setupTest(t)
 
-	adminGroups, readerGroups := []string{"admin1", "admin2"}, []string{"reader1", "reader2"}
+	adminGroups, adminUsers := []string{"admin1", "admin2"}, []string{"adminUser1", "adminUser2"}
+	readerGroups, readerUsers := []string{"reader1", "reader2"}, []string{"readerUser1", "readerUser2"}
 	err := applyApplicationWithSync(tu, client, kubeUtil, radixClient,
 		utils.ARadixApplication().
-			WithRadixRegistration(utils.ARadixRegistration().WithAdGroups(adminGroups).WithReaderAdGroups(readerGroups)).
+			WithRadixRegistration(
+				utils.ARadixRegistration().
+					WithAdGroups(adminGroups).
+					WithAdUsers(adminUsers).
+					WithReaderAdGroups(readerGroups).
+					WithReaderAdUsers(readerUsers)).
 			WithAppName("any-app").
 			WithEnvironment("dev", "master"))
 	require.NoError(t, err)
@@ -423,8 +430,8 @@ func Test_AppReaderPrivateImageHubRoleAndRoleBindingExists(t *testing.T) {
 		expectedSubjects []string
 	}
 	tests := []testSpec{
-		{roleName: "radix-private-image-hubs-reader", expectedVerbs: []string{"get", "list", "watch"}, expectedSubjects: readerGroups},
-		{roleName: "radix-private-image-hubs", expectedVerbs: []string{"get", "list", "watch", "update", "patch", "delete"}, expectedSubjects: adminGroups},
+		{roleName: "radix-private-image-hubs-reader", expectedVerbs: []string{"get", "list", "watch"}, expectedSubjects: slices.Concat(readerGroups, readerUsers)},
+		{roleName: "radix-private-image-hubs", expectedVerbs: []string{"get", "list", "watch", "update", "patch", "delete"}, expectedSubjects: slices.Concat(adminGroups, adminUsers)},
 	}
 
 	roles, _ := client.RbacV1().Roles("any-app-app").List(context.Background(), metav1.ListOptions{})

pkg/apis/applicationconfig/rolebinding.go

@@ -9,14 +9,12 @@ import (
 )
 
 func rolebindingAppReaderToBuildSecrets(registration *radixv1.RadixRegistration, role *auth.Role) *auth.RoleBinding {
-	readerAdGroups := registration.Spec.ReaderAdGroups
-	subjects := kube.GetRoleBindingGroups(readerAdGroups)
+	subjects := utils.GetAppReaderRbacSubjects(registration)
 	roleName := role.ObjectMeta.Name
 	return kube.GetRolebindingToRoleWithLabelsForSubjects(roleName, subjects, role.Labels)
 }
 func rolebindingAppAdminToBuildSecrets(registration *radixv1.RadixRegistration, role *auth.Role) *auth.RoleBinding {
-	adGroups, _ := utils.GetAdGroups(registration)
-	subjects := kube.GetRoleBindingGroups(adGroups)
+	subjects, _ := utils.GetAppAdminRbacSubjects(registration)
 	roleName := role.ObjectMeta.Name
 	return kube.GetRolebindingToRoleWithLabelsForSubjects(roleName, subjects, role.Labels)
 }

pkg/apis/deployment/deployment_test.go

@@ -6,6 +6,7 @@ import (
 	"errors"
 	"fmt"
 	"os"
+	"slices"
 	"strings"
 	"testing"
 	"time"
@@ -111,6 +112,7 @@ func TestObjectSynced_MultiComponent_ContainsAllElements(t *testing.T) {
 	commitId := string(uuid.NewUUID())
 	const componentNameApp = "app"
 	adminGroups, readerGroups := []string{"adm1", "adm2"}, []string{"rdr1", "rdr2"}
+	adminUsers, readerUsers := []string{"admUsr1", "admUsr2"}, []string{"rdrUsr1", "rdrUsr2"}
 
 	for _, componentsExist := range []bool{true, false} {
 		testScenario := utils.TernaryString(componentsExist, "Updating deployment", "Creating deployment")
@@ -120,7 +122,7 @@ func TestObjectSynced_MultiComponent_ContainsAllElements(t *testing.T) {
 		_ = os.Setenv(defaults.ActiveClusternameEnvironmentVariable, "AnotherClusterName")
 
 		t.Run("Test Suite", func(t *testing.T) {
-			aRadixRegistrationBuilder := utils.ARadixRegistration().WithAdGroups(adminGroups).WithReaderAdGroups(readerGroups)
+			aRadixRegistrationBuilder := utils.ARadixRegistration().WithAdGroups(adminGroups).WithAdUsers(adminUsers).WithReaderAdGroups(readerGroups).WithReaderAdUsers(readerUsers)
 			aRadixApplicationBuilder := utils.ARadixApplication().
 				WithRadixRegistration(aRadixRegistrationBuilder)
 			environment := "test"
@@ -428,8 +430,8 @@ func TestObjectSynced_MultiComponent_ContainsAllElements(t *testing.T) {
 				rolebindings, _ := kubeclient.RbacV1().RoleBindings(envNamespace).List(context.Background(), metav1.ListOptions{})
 
 				require.Subset(t, getRoleBindingNames(rolebindings), []string{"radix-app-adm-radixquote", "radix-app-reader-radixquote"})
-				assert.ElementsMatch(t, adminGroups, slice.Map(getRoleBindingByName("radix-app-adm-radixquote", rolebindings).Subjects, func(s rbacv1.Subject) string { return s.Name }))
-				assert.ElementsMatch(t, readerGroups, slice.Map(getRoleBindingByName("radix-app-reader-radixquote", rolebindings).Subjects, func(s rbacv1.Subject) string { return s.Name }))
+				assert.ElementsMatch(t, slices.Concat(adminGroups, adminUsers), slice.Map(getRoleBindingByName("radix-app-adm-radixquote", rolebindings).Subjects, func(s rbacv1.Subject) string { return s.Name }))
+				assert.ElementsMatch(t, slices.Concat(readerGroups, readerUsers), slice.Map(getRoleBindingByName("radix-app-reader-radixquote", rolebindings).Subjects, func(s rbacv1.Subject) string { return s.Name }))
 			})
 
 			t.Run(fmt.Sprintf("%s: validate networkpolicy", testScenario), func(t *testing.T) {
@@ -507,6 +509,7 @@ func TestObjectSynced_MultiJob_ContainsAllElements(t *testing.T) {
 	defer TeardownTest()
 	commitId := string(uuid.NewUUID())
 	adminGroups, readerGroups := []string{"adm1", "adm2"}, []string{"rdr1", "rdr2"}
+	adminUsers, readerUsers := []string{"admUsr1", "admUsr2"}, []string{"rdrUsr1", "rdrUsr2"}
 
 	for _, jobsExist := range []bool{false, true} {
 		testScenario := utils.TernaryString(jobsExist, "Updating deployment", "Creating deployment")
@@ -516,7 +519,7 @@ func TestObjectSynced_MultiJob_ContainsAllElements(t *testing.T) {
 		os.Setenv(defaults.OperatorRadixJobSchedulerEnvironmentVariable, jobSchedulerImage)
 
 		t.Run("Test Suite", func(t *testing.T) {
-			aRadixRegistrationBuilder := utils.ARadixRegistration().WithAdGroups(adminGroups).WithReaderAdGroups(readerGroups)
+			aRadixRegistrationBuilder := utils.ARadixRegistration().WithAdGroups(adminGroups).WithAdUsers(adminUsers).WithReaderAdGroups(readerGroups).WithReaderAdUsers(readerUsers)
 			aRadixApplicationBuilder := utils.ARadixApplication().
 				WithRadixRegistration(aRadixRegistrationBuilder)
 			environment := "test"
@@ -755,8 +758,8 @@ func TestObjectSynced_MultiJob_ContainsAllElements(t *testing.T) {
 			t.Run(fmt.Sprintf("%s validate rolebindings", testScenario), func(t *testing.T) {
 				rolebindings, _ := kubeclient.RbacV1().RoleBindings(envNamespace).List(context.Background(), metav1.ListOptions{})
 				assert.Subset(t, getRoleBindingNames(rolebindings), []string{"radix-app-adm-job", "radix-app-reader-job", defaults.RadixJobSchedulerRoleName})
-				assert.ElementsMatch(t, adminGroups, slice.Map(getRoleBindingByName("radix-app-adm-job", rolebindings).Subjects, func(s rbacv1.Subject) string { return s.Name }))
-				assert.ElementsMatch(t, readerGroups, slice.Map(getRoleBindingByName("radix-app-reader-job", rolebindings).Subjects, func(s rbacv1.Subject) string { return s.Name }))
+				assert.ElementsMatch(t, slices.Concat(adminGroups, adminUsers), slice.Map(getRoleBindingByName("radix-app-adm-job", rolebindings).Subjects, func(s rbacv1.Subject) string { return s.Name }))
+				assert.ElementsMatch(t, slices.Concat(readerGroups, readerUsers), slice.Map(getRoleBindingByName("radix-app-reader-job", rolebindings).Subjects, func(s rbacv1.Subject) string { return s.Name }))
 			})
 
 			t.Run(fmt.Sprintf("%s: validate networkpolicy", testScenario), func(t *testing.T) {
@@ -4178,13 +4181,14 @@ func Test_ExternalDNS_ContainsAllResources(t *testing.T) {
 	appName, envName := "anyapp", "anyenv"
 	fqdnManual1, fqdnManual2 := "foo1.example.com", "foo2.example.com"
 	fqdnAutomation1, fqdnAutomation2 := "bar1.example.com", "bar2.example.com"
-	adminGroups, readerGroups := []string{"adm1", "adm2"}, []string{"rdr1", "rdr2"}
+	adminGroups, adminUsers := []string{"adm1", "adm2"}, []string{"admUsr1", "admUsr2"}
+	readerGroups, readerUsers := []string{"rdr1", "rdr2"}, []string{"rdrUsr1", "rdrUsr2"}
 	ns := utils.GetEnvironmentNamespace(appName, envName)
 
 	tu, kubeclient, kubeUtil, radixclient, kedaClient, prometheusclient, _, certClient := SetupTest(t)
 	defer TeardownTest()
 
-	rrBuilder := utils.NewRegistrationBuilder().WithName(appName).WithAdGroups(adminGroups).WithReaderAdGroups(readerGroups)
+	rrBuilder := utils.NewRegistrationBuilder().WithName(appName).WithAdGroups(adminGroups).WithAdUsers(adminUsers).WithReaderAdGroups(readerGroups).WithReaderAdUsers(readerUsers)
 	raBuilder := utils.NewRadixApplicationBuilder().WithAppName(appName).WithRadixRegistration(rrBuilder)
 	rdBuilder := utils.NewDeploymentBuilder().
 		WithRadixApplication(raBuilder).
@@ -4252,21 +4256,24 @@ func Test_ExternalDNS_ContainsAllResources(t *testing.T) {
 	roleBindings, _ := kubeclient.RbacV1().RoleBindings(ns).List(context.Background(), metav1.ListOptions{})
 	require.Subset(t, getRoleBindingNames(roleBindings), []string{"radix-app-externaldns-adm", "radix-app-externaldns-reader"})
 	assert.Equal(t, rbacv1.RoleRef{APIGroup: rbacv1.GroupName, Name: "radix-app-externaldns-adm", Kind: "Role"}, getRoleBindingByName("radix-app-externaldns-adm", roleBindings).RoleRef)
+
 	assert.ElementsMatch(t,
-		slice.Map(adminGroups, func(group string) rbacv1.Subject {
-			return rbacv1.Subject{
-				Kind: "Group", APIGroup: rbacv1.GroupName, Name: group, Namespace: "",
-			}
-		}),
+		[]rbacv1.Subject{
+			{Kind: rbacv1.GroupKind, APIGroup: rbacv1.GroupName, Name: "adm1"},
+			{Kind: rbacv1.GroupKind, APIGroup: rbacv1.GroupName, Name: "adm2"},
+			{Kind: rbacv1.UserKind, APIGroup: rbacv1.GroupName, Name: "admUsr1"},
+			{Kind: rbacv1.UserKind, APIGroup: rbacv1.GroupName, Name: "admUsr2"},
+		},
 		getRoleBindingByName("radix-app-externaldns-adm", roleBindings).Subjects,
 	)
 	assert.Equal(t, rbacv1.RoleRef{APIGroup: rbacv1.GroupName, Name: "radix-app-externaldns-reader", Kind: "Role"}, getRoleBindingByName("radix-app-externaldns-reader", roleBindings).RoleRef)
 	assert.ElementsMatch(t,
-		slice.Map(readerGroups, func(group string) rbacv1.Subject {
-			return rbacv1.Subject{
-				Kind: "Group", APIGroup: rbacv1.GroupName, Name: group, Namespace: "",
-			}
-		}),
+		[]rbacv1.Subject{
+			{Kind: rbacv1.GroupKind, APIGroup: rbacv1.GroupName, Name: "rdr1"},
+			{Kind: rbacv1.GroupKind, APIGroup: rbacv1.GroupName, Name: "rdr2"},
+			{Kind: rbacv1.UserKind, APIGroup: rbacv1.GroupName, Name: "rdrUsr1"},
+			{Kind: rbacv1.UserKind, APIGroup: rbacv1.GroupName, Name: "rdrUsr2"},
+		},
 		getRoleBindingByName("radix-app-externaldns-reader", roleBindings).Subjects,
 	)
 }