github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

append an abac rule for $KUBE_USER.

Browse Source
This commit is contained in:
CJ Cullen
2016-07-14 11:01:07 -07:00
parent e3fa011d28
commit e559e305dd
5 changed files with 16 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
cluster/saltbase/salt/kube-apiserver/abac-authz-policy.jsonl
View File

@@ -1,4 +1,6 @@
{% set kube_user = grains.kube_user -%}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"admin", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"{{kube_user}}", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kubelet", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kube_proxy", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kubecfg", "namespace": "*", "resource": "*", "apiGroup": "*", "nonResourcePath": "*"}}

1
cluster/saltbase/salt/kube-apiserver/init.sls
View File

@@ -19,6 +19,7 @@
/srv/kubernetes/abac-authz-policy.jsonl:
file.managed:
- source: salt://kube-apiserver/abac-authz-policy.jsonl
- template: jinja
- user: root
- group: root
- mode: 600