Update policy

This patch set updates the k8s-keystone-auth policy. Change-Id: Ia08d393f363ecb49007dc4d4801c61e569b89981 Signed-off-by: Tin Lam <tin@irrational.io>
2018-05-20 13:11:46 -05:00
parent 19f92a9393
commit 91fa516951
2 changed files with 73 additions and 13 deletions
--- a/kubernetes-keystone-webhook/values.yaml
+++ b/kubernetes-keystone-webhook/values.yaml
@@ -86,19 +86,52 @@ release_group: null

 conf:
  policy:
+    - resource:
+        verbs:
+          - "*"
+        resources:
+          - "*"
+        namespace: "*"
+        version: "*"
+      match:
+        - type: role
+          values:
+            - admin
+    - resource:
+        verbs:
+          - "*"
+        resources:
+          - "*"
+        namespace: "kube-system"
+        version: "*"
+      match:
+        - type: role
+          values:
+            - kube-system-admin
    - resource:
        verbs:
          - get
          - list
          - watch
        resources:
-          - pods
-        namespace: openstack
+          - "*"
+        namespace: "kube-system"
        version: "*"
      match:
-        - type: user
+        - type: role
          values:
-            - admin
+            - kube-system-viewer
+    - resource:
+        verbs:
+          - "*"
+        resources:
+          - "*"
+        namespace: "openstack"
+        version: "*"
+      match:
+        - type: project
+          values:
+            - openstack-system

 secrets:
  identity: