Skip to content

Latest commit

 

History

History
340 lines (289 loc) · 10.7 KB

acls.md

File metadata and controls

340 lines (289 loc) · 10.7 KB
description
Reference documentation for ACLs.

Access Policies (ACLs)

ACLs are used to control fine-grained access policies of users to resources; and are validated, stored, and evaluated as an AccessPolicy resource in Omni.

At the moment, only Kubernetes cluster access (group impersonation) is supported.

Structure

AccessPolicy

The AccessPolicy is a single resource containing a set of user groups, a set of cluster groups, a list of matching rules and a list of tests.

metadata:
  namespace: default
  type: AccessPolicies.omni.sidero.dev
  id: access-policy
spec:
  usergroups:
    # match level-1 users by fnmatch expression
    level-1:
      users:
        - match: level-1*
    # match level-2 users by label selectors
    level-2:
      users:
        - labelselectors:
            - level=2
    # match level-3 users by explicit list
    level-3:
      users:
        - name: [email protected]
        - name: [email protected]
  clustergroups:
    dev:
      clusters:
        - match: dev-*
    staging:
      clusters:
        - match: staging-*
        - match: preprod-*
    production:
      clusters:
        - match: prod-*
  rules:
    - users:
        - group/level-1
      clusters:
        - group/dev
      role: Operator
    - users:
        - group/level-1
      clusters:
        - group/staging
      role: Reader
      kubernetes:
        impersonate:
          groups:
            - read-only
    - users:
        - group/level-2
      clusters:
        - group/dev
        - group/staging
      role: Operator
    - users:
        - group/level-2
      clusters:
        - group/production
      role: Reader
      kubernetes:
        impersonate:
          groups:
            - read-only
    - users:
        - group/level-3
      clusters:
        - group/dev
        - group/staging
        - group/production
      role: Admin
    # simple rule - without links to user or cluster groups
    - users:
        - [email protected]
      clusters:
        - vault
      role: Admin
  tests:
    # level-1 tests
    - name: level-1 engineer has Operator access to dev cluster
      user:
        name: [email protected]
      cluster:
        name: dev-cluster-1
      expected:
        role: Operator
    - name: level-1 engineer has read-only access to staging cluster
      user:
        name: [email protected]
      cluster:
        name: staging-cluster-1
      expected:
        role: Reader
        kubernetes:
          impersonate:
            groups:
              - read-only
    - name: level-1 engineer has no access to production cluster
      user:
        name: [email protected]
      cluster:
        name: production-cluster-1
      expected:
        role: None
        kubernetes:
          impersonate:
            groups: []
    # level-2 tests
    - name: level-2 engineer has Operator access to staging cluster
      user:
        name: [email protected]
        labels:
          level: "2"
      cluster:
        name: preprod-cluster-1
      expected:
        role: Operator
    - name: level-2 engineer has read-only access to prod cluster
      user:
        name: [email protected]
        labels:
          level: "2"
      cluster:
        name: prod-cluster-1
      expected:
        role: Reader
        kubernetes:
          impersonate:
            groups:
              - read-only
    # level-3 tests
    - name: level-3 engineer has admin access to prod cluster
      user:
        name: [email protected]
      cluster:
        name: prod-cluster-1
      expected:
        role: Admin
    # vault-admin tests
    - name: vault-admin has admin access to vault
      user:
        name: [email protected]
      cluster:
        name: vault
      expected:
        role: Admin
Field Type Description
metadata.namespace string Always set to default.
metadata.type string AccessPolicies.omni.sidero.dev.
metadata.id string Always set to access-policy.
spec.usergroups map[string]UserGroup Map of user group names to user group definitions.
spec.clustergroups map[string]ClusterGroup Map of cluster group names to cluster group definitions.
spec.rules array List of rules to match.
spec.tests array List of tests to run when the resource is created or updated.

UserGroup

A UserGroup is a group of users.

users:
  - name: [email protected]
  - name: [email protected]
Field Type Description
users array List of Users.

User

A User is a single user.

name: [email protected]
match: user1*
labelselectors:
  - level=1
Field Type Description
name string User identity used to authenticate to Omni.
match string fnmatch expression to match user identities.
labelselectors array List of label selector strings.

Note: name, match and labelselectors are mutually exclusive. Only one of them can be set to a non-zero value.

ClusterGroup

A ClusterGroup is a group of clusters.

clusters:
  - name: cluster-1
  - name: cluster-2
Field Type Description
clusters array List of Clusters.

Cluster

A Cluster is a single cluster.

name: cluster-1
match: cluster-1*
Field Type Description
name string Cluster name (ID).
match fnmatch expression to match cluster names (IDs).

Note: name and match are mutually exclusive. Only one of them can be set to a non-zero value.

Rule

A Rule is a set of users, clusters and Kubernetes impersonation groups.

The reserved prefix group/ is used to reference a user group in users or a cluster group in clusters.

users:
  - [email protected]
  - group/user-group-1
clusters:
  - cluster1
  - group/cluster-group-1
role: Operator
kubernetes:
  impersonate:
    groups:
      - system:masters
      - another-impersonation-group
Field Type Description
users array List of Users or UserGroups.
clusters array List of Clusters or ClusterGroups.
role enum Role to grant to the user.
kubernetes.impersonate.groups array List of strings representing Kubernetes impersonation groups.

Role

A Role is the role to grant to the user.

Possible values: None, Reader, Operator, Admin.

Test

A Test is a single test case.

Test cases are run when the resource is created or updated, and if any of them fail, the operation is rejected.

name: support engineer has full access to staging cluster
user:
  name: [email protected]
cluster:
  name: staging-cluster-1
expected:
  role: Operator
  kubernetes:
    impersonate:
      groups:
        - system:masters
Field Type Description
name string Human-friendly test case name.
user TestUser User identity to use in the test.
cluster TestCluster Cluster to use in the test.
expected Expected Expected result.

TestUser

A TestUser is the user identity to use in a test case.

name: [email protected]
labels:
  level: "1"
Field Type Description
name string User identity to use in the test.
labels map[string]string Map of label names to label values.

TestCluster

A TestCluster is the cluster to use in a test case.

name: cluster-1
Field Type Description
name string Cluster name (ID).

Expected

An Expected is the expected results of a test case.

role: Operator
kubernetes:
  impersonate:
    groups:
      - system:masters
      - another-impersonation-group
Field Type Description
role enum Role to grant to the user.
kubernetes.impersonate.groups array List of strings representing Kubernetes impersonation groups.