diff --git a/kubernetes-keystone-webhook/values.yaml b/kubernetes-keystone-webhook/values.yaml index 7af8c88f0..493ee036e 100644 --- a/kubernetes-keystone-webhook/values.yaml +++ b/kubernetes-keystone-webhook/values.yaml @@ -86,19 +86,52 @@ release_group: null conf: policy: + - resource: + verbs: + - "*" + resources: + - "*" + namespace: "*" + version: "*" + match: + - type: role + values: + - admin + - resource: + verbs: + - "*" + resources: + - "*" + namespace: "kube-system" + version: "*" + match: + - type: role + values: + - kube-system-admin - resource: verbs: - get - list - watch resources: - - pods - namespace: openstack + - "*" + namespace: "kube-system" version: "*" match: - - type: user + - type: role values: - - admin + - kube-system-viewer + - resource: + verbs: + - "*" + resources: + - "*" + namespace: "openstack" + version: "*" + match: + - type: project + values: + - openstack-system secrets: identity: diff --git a/tools/deployment/keystone-auth/check.sh b/tools/deployment/keystone-auth/check.sh index 1334964a4..ead9da641 100755 --- a/tools/deployment/keystone-auth/check.sh +++ b/tools/deployment/keystone-auth/check.sh @@ -24,24 +24,51 @@ sudo cp -va $HOME/.kube/config /tmp/kubeconfig.yaml sudo kubectl --kubeconfig /tmp/kubeconfig.yaml config unset users.kubernetes-admin # Test -if ! kubectl --kubeconfig /tmp/kubeconfig.yaml --token "$(keystone_token)" get pods ; then - echo "Denied, as expected by policy" -else - exit 1 -fi -kubectl --kubeconfig /tmp/kubeconfig.yaml --token "$(keystone_token)" get pods -n openstack +# This issues token with admin role +TOKEN=$(keystone_token) +kubectl --kubeconfig /tmp/kubeconfig.yaml --token $TOKEN get pods +kubectl --kubeconfig /tmp/kubeconfig.yaml --token $TOKEN get pods -n openstack +kubectl --kubeconfig /tmp/kubeconfig.yaml --token $TOKEN get secrets -n openstack -# create a demoUser +# create users openstack user create --or-show --password demoPassword demoUser +openstack user create --or-show --password demoPassword kube-system-admin + +# create project +openstack project create --or-show openstack-system +openstack project create --or-show demoProject + +# create roles +openstack role create --or-show openstackRole +openstack role create --or-show kube-system-admin + +# assign user role to project +openstack role add --project openstack-system --user demoUser --project-domain default --user-domain default openstackRole +openstack role add --project demoProject --user kube-system-admin --project-domain default --user-domain default kube-system-admin + unset OS_CLOUD export OS_AUTH_URL="http://keystone.openstack.svc.cluster.local/v3" export OS_IDENTITY_API_VERSION="3" +export OS_PROJECT_NAME="openstack-system" export OS_PASSWORD="demoPassword" export OS_USERNAME="demoUser" # See this does fail as the policy does not allow for a non-admin user -TOKEN=$(openstack token issue -f value -c id) -if ! kubectl --kubeconfig /tmp/kubeconfig.yaml --token "$(keystone_token)" get pods -n openstack ; then + +# Issue a member user token +TOKEN=$(keystone_token) +kubectl --kubeconfig /tmp/kubeconfig.yaml --token $TOKEN get ingress -n openstack +if ! kubectl --kubeconfig /tmp/kubeconfig.yaml --token $TOKEN get pods ; then + echo "Denied, as expected by policy" +else + exit 1 +fi + +export OS_USERNAME="kube-system-admin" +export OS_PROJECT_NAME="demoProject" +TOKEN=$(keystone_token) +kubectl --kubeconfig /tmp/kubeconfig.yaml --token $TOKEN get ingress -n kube-system +if ! kubectl --kubeconfig /tmp/kubeconfig.yaml --token $TOKEN get pods -n openstack ; then echo "Denied, as expected by policy" else exit 1