Skip to content

Instantly share code, notes, and snippets.

@benjaminapetersen

benjaminapetersen/rbac++.yaml

Forked from aramase/rbac++.yaml
Created October 23, 2024 18:11
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save benjaminapetersen/fbcb896dd60900e3c4583b5236e0eef7 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save benjaminapetersen/fbcb896dd60900e3c4583b5236e0eef7 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. @aramase aramase created this gist Oct 23, 2024.
    63 changes: 63 additions & 0 deletions rbac++.yaml
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,63 @@
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
    name: list-secrets
    rules:
    - apiGroups:
    - ""
    resources:
    - secrets
    verbs:
    - get
    - list
    ---
    # A controller can list all secrets of a particular type
    # Commands to run
    # 1. kubectl get secrets --field-selector=type=mytype --as=bob
    apiVersion: rbac.authorization.k8s.io/v1alpha1
    kind: ConditionalClusterRoleBinding
    metadata:
    name: list-secrets-of-type-field-selector
    clusterRoleName: list-secrets
    conditions:
    - expression: request.user == "bob"
    - expression: request.resourceAttributes.fieldSelector.requirements.exists(r, r.key == "type" && r.operator == "=" && sets.equivalent(r.values, ["mytype"]))
    ---
    # A controller can list all secrets with a particular label
    # Commands to run
    # 1. kubectl get secrets --selector=mylabel=myvalue --as=bob
    apiVersion: rbac.authorization.k8s.io/v1alpha1
    kind: ConditionalClusterRoleBinding
    metadata:
    name: list-secrets-of-label-selector
    clusterRoleName: list-secrets
    conditions:
    - expression: request.user == "bob"
    - expression: request.resourceAttributes.labelSelector.requirements.exists(r, r.key == "mylabel" && r.operator == "=" && sets.equivalent(r.values, ["myvalue"]))
    ---
    # Allow access based on namespace or name prefix
    # Commands to run
    # 1. kubectl get pods --namespace=prod-1 --as=bob
    # 2. kubectl get pods --namespace=prod-2 --as=bob
    apiVersion: rbac.authorization.k8s.io/v1alpha1
    kind: ConditionalClusterRoleBinding
    metadata:
    name: list-secrets-in-namespace
    clusterRoleName: list-secrets
    conditions:
    - expression: request.user == "bob"
    - expression: request.resourceAttributes.namespace.startsWith("prod-")
    ---
    # node can only list resources scheduled to it
    apiVersion: rbac.authorization.k8s.io/v1alpha1
    kind: ConditionalClusterRoleBinding
    metadata:
    name: list-resources-matching-node
    clusterRoleName: list-resources
    conditions:
    # determine it's a node by checking the prefix and asserting the name is not just the prefix
    - expression: request.user.startsWith("system:node:") && size(request.user) > size("system:node:")
    # it needs to be in system:nodes group
    - expression: request.groups.exists(g, g == "system:nodes")
    # now match the field selector to restrict to a specific node
    - expression: request.resourceAttributes.fieldSelector.requirements.exists(r, r.key == 'spec.nodeName' && r.operator == '=' && sets.equivalent(r.values, [request.user.substring(size('system:node:'))]))