d8df9d0c36
With the new config option `keystone_auth_default_policy`, cloud admin can set a default keystone auth policy for k8s cluster when the keystone auth is enabled. As a result, user can use their current keystone user to access k8s cluster as long as they're assigned correct roles, and they will get the pre-defined permissions set by the cloud provider. The default policy now is based on the v2 format recently introduced in k8s-keystone-auth which is getting more useful now. For example, in v1 it doesn't support a policy for user to access resources from all namespaces but kube-system, but v2 can do that. NOTE: Now we're using openstackmagnum dockerhub repo until CPO team fixing their image release issue. Task: 30069 Story: 1755770 Change-Id: I2425e957bd99edc92482b6f11ca0b1f91fe59ff6
76 lines
2.7 KiB
Plaintext
76 lines
2.7 KiB
Plaintext
[
|
|
{
|
|
"users":{
|
|
"roles":[
|
|
"k8s_admin"
|
|
],
|
|
"projects":[
|
|
"$PROJECT_ID"
|
|
]
|
|
},
|
|
"resource_permissions":{
|
|
"*/*":[
|
|
"*"
|
|
]
|
|
},
|
|
"nonresource_permissions":{
|
|
"/healthz":[
|
|
"get",
|
|
"post"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"users":{
|
|
"roles":[
|
|
"k8s_developer"
|
|
],
|
|
"projects":[
|
|
"$PROJECT_ID"
|
|
]
|
|
},
|
|
"resource_permissions":{
|
|
"!kube-system/['apiServices', 'bindings', 'componentstatuses', 'configmaps', 'cronjobs', 'customResourceDefinitions', 'deployments', 'endpoints', 'events', 'horizontalPodAutoscalers', 'ingresses', 'initializerConfigurations', 'jobs', 'limitRanges', 'localSubjectAccessReviews', 'namespaces', 'networkPolicies', 'persistentVolumeClaims', 'persistentVolumes', 'podDisruptionBudgets', 'podPresets', 'podTemplates', 'pods', 'replicaSets', 'replicationControllers', 'resourceQuotas', 'secrets', 'selfSubjectAccessReviews', 'serviceAccounts', 'services', 'statefulSets', 'storageClasses', 'subjectAccessReviews', 'tokenReviews']":[
|
|
"*"
|
|
],
|
|
"*/['clusterrolebindings', 'clusterroles', 'rolebindings', 'roles', 'controllerrevisions', 'nodes', 'podSecurityPolicies']":[
|
|
"get",
|
|
"list",
|
|
"watch"
|
|
],
|
|
"*/['certificateSigningRequests']":[
|
|
"create",
|
|
"delete",
|
|
"get",
|
|
"list",
|
|
"watch",
|
|
"update"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"users":{
|
|
"roles":[
|
|
"k8s_viewer"
|
|
],
|
|
"projects":[
|
|
"$PROJECT_ID"
|
|
]
|
|
},
|
|
"resource_permissions":{
|
|
"!kube-system/['tokenReviews']":[
|
|
"*"
|
|
],
|
|
"!kube-system/['apiServices', 'bindings', 'componentstatuses', 'configmaps', 'cronjobs', 'customResourceDefinitions', 'deployments', 'endpoints', 'events', 'horizontalPodAutoscalers', 'ingresses', 'initializerConfigurations', 'jobs', 'limitRanges', 'localSubjectAccessReviews', 'namespaces', 'networkPolicies', 'persistentVolumeClaims', 'persistentVolumes', 'podDisruptionBudgets', 'podPresets', 'podTemplates', 'pods', 'replicaSets', 'replicationControllers', 'resourceQuotas', 'secrets', 'selfSubjectAccessReviews', 'serviceAccounts', 'services', 'statefulSets', 'storageClasses', 'subjectAccessReviews']":[
|
|
"get",
|
|
"list",
|
|
"watch"
|
|
],
|
|
"*/['clusterrolebindings', 'clusterroles', 'rolebindings', 'roles', 'controllerrevisions', 'nodes', 'podSecurityPolicies']":[
|
|
"get",
|
|
"list",
|
|
"watch"
|
|
]
|
|
}
|
|
}
|
|
] |