add admin,edit,view roles

2016-10-13 10:17:28 -04:00
parent 928b8cbdb8
commit d56a27f130
3 changed files with 241 additions and 3 deletions
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
@@ -23,10 +23,22 @@ import (
 )

 var (
-	readWrite = []string{"get", "list", "watch", "create", "update", "patch", "delete", "deletecollection"}
-	read      = []string{"get", "list", "watch"}
+	ReadWrite = []string{"get", "list", "watch", "create", "update", "patch", "delete", "deletecollection"}
+	Read      = []string{"get", "list", "watch"}
+)

-	legacyGroup = ""
+const (
+	legacyGroup         = ""
+	appsGroup           = "apps"
+	authenticationGroup = "authentication.k8s.io"
+	authorizationGroup  = "authorization.k8s.io"
+	autoscalingGroup    = "autoscaling"
+	batchGroup          = "batch"
+	certificatesGroup   = "certificates.k8s.io"
+	extensionsGroup     = "extensions"
+	policyGroup         = "policy"
+	rbacGroup           = "rbac.authorization.k8s.io"
+	storageGroup        = "storage.k8s.io"
 )

 // ClusterRoles returns the cluster roles to bootstrap an API server with
@@ -47,6 +59,92 @@ func ClusterRoles() []rbac.ClusterRole {
 				rbac.NewRule("get").URLs("/version", "/api", "/api/*", "/apis", "/apis/*").RuleOrDie(),
 			},
 		},
+		{
+			// a role which provides minimal resource access to allow a "normal" user to learn information about themselves
+			ObjectMeta: api.ObjectMeta{Name: "system:basic-user"},
+			Rules: []rbac.PolicyRule{
+				// TODO add future selfsubjectrulesreview, project request APIs, project listing APIs
+				rbac.NewRule("create").Groups(authorizationGroup).Resources("selfsubjectaccessreviews").RuleOrDie(),
+			},
+		},
+
+		{
+			// a role for a namespace level admin.  It is `edit` plus the power to grant permissions to other users.
+			ObjectMeta: api.ObjectMeta{Name: "admin"},
+			Rules: []rbac.PolicyRule{
+				rbac.NewRule(ReadWrite...).Groups(legacyGroup).Resources("pods", "pods/attach", "pods/proxy", "pods/exec", "pods/portforward").RuleOrDie(),
+				rbac.NewRule(ReadWrite...).Groups(legacyGroup).Resources("replicationcontrollers", "replicationcontrollers/scale", "serviceaccounts",
+					"services", "services/proxy", "endpoints", "persistentvolumeclaims", "configmaps", "secrets").RuleOrDie(),
+				rbac.NewRule(Read...).Groups(legacyGroup).Resources("limitranges", "resourcequotas", "bindings", "events",
+					"pods/status", "resourcequotas/status", "namespaces/status", "replicationcontrollers/status", "pods/log").RuleOrDie(),
+				// read access to namespaces at the namespace scope means you can read *this* namespace.  This can be used as an
+				// indicator of which namespaces you have access to.
+				rbac.NewRule(Read...).Groups(legacyGroup).Resources("namespaces").RuleOrDie(),
+				rbac.NewRule("impersonate").Groups(legacyGroup).Resources("serviceaccounts").RuleOrDie(),
+
+				rbac.NewRule(ReadWrite...).Groups(appsGroup).Resources("petsets").RuleOrDie(),
+
+				rbac.NewRule(ReadWrite...).Groups(autoscalingGroup).Resources("horizontalpodautoscalers").RuleOrDie(),
+
+				rbac.NewRule(ReadWrite...).Groups(batchGroup).Resources("jobs", "scheduledjobs").RuleOrDie(),
+
+				rbac.NewRule(ReadWrite...).Groups(extensionsGroup).Resources("jobs", "daemonsets", "horizontalpodautoscalers",
+					"replicationcontrollers/scale", "replicasets", "replicasets/scale", "deployments", "deployments/scale").RuleOrDie(),
+
+				// additional admin powers
+				rbac.NewRule("create").Groups(authorizationGroup).Resources("localsubjectaccessreviews").RuleOrDie(),
+				rbac.NewRule(ReadWrite...).Groups(rbacGroup).Resources("roles", "rolebindings").RuleOrDie(),
+			},
+		},
+		{
+			// a role for a namespace level editor.  It grants access to all user level actions in a namespace.
+			// It does not grant powers for "privileged" resources which are domain of the system: `/status`
+			// subresources or `quota`/`limits` which are used to control namespaces
+			ObjectMeta: api.ObjectMeta{Name: "edit"},
+			Rules: []rbac.PolicyRule{
+				rbac.NewRule(ReadWrite...).Groups(legacyGroup).Resources("pods", "pods/attach", "pods/proxy", "pods/exec", "pods/portforward").RuleOrDie(),
+				rbac.NewRule(ReadWrite...).Groups(legacyGroup).Resources("replicationcontrollers", "replicationcontrollers/scale", "serviceaccounts",
+					"services", "services/proxy", "endpoints", "persistentvolumeclaims", "configmaps", "secrets").RuleOrDie(),
+				rbac.NewRule(Read...).Groups(legacyGroup).Resources("limitranges", "resourcequotas", "bindings", "events",
+					"pods/status", "resourcequotas/status", "namespaces/status", "replicationcontrollers/status", "pods/log").RuleOrDie(),
+				// read access to namespaces at the namespace scope means you can read *this* namespace.  This can be used as an
+				// indicator of which namespaces you have access to.
+				rbac.NewRule(Read...).Groups(legacyGroup).Resources("namespaces").RuleOrDie(),
+				rbac.NewRule("impersonate").Groups(legacyGroup).Resources("serviceaccounts").RuleOrDie(),
+
+				rbac.NewRule(ReadWrite...).Groups(appsGroup).Resources("petsets").RuleOrDie(),
+
+				rbac.NewRule(ReadWrite...).Groups(autoscalingGroup).Resources("horizontalpodautoscalers").RuleOrDie(),
+
+				rbac.NewRule(ReadWrite...).Groups(batchGroup).Resources("jobs", "scheduledjobs").RuleOrDie(),
+
+				rbac.NewRule(ReadWrite...).Groups(extensionsGroup).Resources("jobs", "daemonsets", "horizontalpodautoscalers",
+					"replicationcontrollers/scale", "replicasets", "replicasets/scale", "deployments", "deployments/scale").RuleOrDie(),
+			},
+		},
+		{
+			// a role for namespace level viewing.  It grants Read-only access to non-escalating resources in
+			// a namespace.
+			ObjectMeta: api.ObjectMeta{Name: "view"},
+			Rules: []rbac.PolicyRule{
+				rbac.NewRule(Read...).Groups(legacyGroup).Resources("pods", "replicationcontrollers", "replicationcontrollers/scale", "serviceaccounts",
+					"services", "endpoints", "persistentvolumeclaims", "configmaps").RuleOrDie(),
+				rbac.NewRule(Read...).Groups(legacyGroup).Resources("limitranges", "resourcequotas", "bindings", "events",
+					"pods/status", "resourcequotas/status", "namespaces/status", "replicationcontrollers/status", "pods/log").RuleOrDie(),
+				// read access to namespaces at the namespace scope means you can read *this* namespace.  This can be used as an
+				// indicator of which namespaces you have access to.
+				rbac.NewRule(Read...).Groups(legacyGroup).Resources("namespaces").RuleOrDie(),
+
+				rbac.NewRule(Read...).Groups(appsGroup).Resources("petsets").RuleOrDie(),
+
+				rbac.NewRule(Read...).Groups(autoscalingGroup).Resources("horizontalpodautoscalers").RuleOrDie(),
+
+				rbac.NewRule(Read...).Groups(batchGroup).Resources("jobs", "scheduledjobs").RuleOrDie(),
+
+				rbac.NewRule(Read...).Groups(extensionsGroup).Resources("jobs", "daemonsets", "horizontalpodautoscalers",
+					"replicationcontrollers/scale", "replicasets", "replicasets/scale", "deployments", "deployments/scale").RuleOrDie(),
+			},
+		},
 	}
 }

@@ -55,5 +153,6 @@ func ClusterRoleBindings() []rbac.ClusterRoleBinding {
 	return []rbac.ClusterRoleBinding{
 		rbac.NewClusterBinding("cluster-admin").Groups(user.SystemPrivilegedGroup).BindingOrDie(),
 		rbac.NewClusterBinding("system:discovery").Groups(user.AllAuthenticated, user.AllUnauthenticated).BindingOrDie(),
+		rbac.NewClusterBinding("system:basic-user").Groups(user.AllAuthenticated, user.AllUnauthenticated).BindingOrDie(),
 	}
 }