forked from awslabs/cedar-access-control-for-k8s
-
Notifications
You must be signed in to change notification settings - Fork 0
/
authorization-policy.yaml
159 lines (157 loc) · 4 KB
/
authorization-policy.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
apiVersion: cedar.k8s.aws/v1alpha1
kind: Policy
metadata:
name: first-policy
spec:
content: |
// test-user can get/list/watch pods at cluster scope
permit (
principal,
action in [k8s::Action::"get", k8s::Action::"list", k8s::Action::"watch"],
resource is k8s::Resource
) when {
principal.name == "test-user" &&
resource.resource == "pods"
};
// forbid test-user to get/list/watch nodes
forbid (
principal,
action in [k8s::Action::"get", k8s::Action::"list", k8s::Action::"watch"],
resource is k8s::Resource
) when {
principal.name == "test-user" &&
resource.resource == "nodes"
};
---
apiVersion: cedar.k8s.aws/v1alpha1
kind: Policy
metadata:
name: viewer-group
spec:
content: |
// viewer group members can get/list/watch any Resource other than secrets
permit (
principal in k8s::Group::"viewers",
action in [ k8s::Action::"get", k8s::Action::"list", k8s::Action::"watch"],
resource is k8s::Resource
) unless {
resource.resource == "secrets" &&
resource.apiGroup == ""
};
---
apiVersion: cedar.k8s.aws/v1alpha1
kind: Policy
metadata:
name: system-public-viewer
annotations:
cedar.k8s.aws/description: "Grants access to public information, equivalent to RBAC CR/CRB system:public-info-viewer"
spec:
content: |
permit (
principal in k8s::Group::"system:authenticated",
action == k8s::Action::"get",
resource is k8s::NonResourceURL
) when {
[
"/healthz",
"/livez",
"/readyz",
"/version",
"/version/"
].contains(resource.path)
};
permit (
principal in k8s::Group::"system:unauthenticated",
action == k8s::Action::"get",
resource is k8s::NonResourceURL
) when {
[
"/healthz",
"/livez",
"/readyz",
"/version",
"/version/"
].contains(resource.path)
};
---
apiVersion: v1
kind: Secret
metadata:
name: example-secret
labels:
owner: test-user
data:
key: dmFsdWU=
---
apiVersion: v1
kind: Secret
metadata:
name: other-example-secret
labels:
owner: prod-user
data:
key: dmFsdWU=
---
apiVersion: cedar.k8s.aws/v1alpha1
kind: Policy
metadata:
name: secrets-label-selector-example
spec:
content: |
permit (
principal is k8s::User,
action in [k8s::Action::"list", k8s::Action::"watch"],
resource is k8s::Resource
) when {
resource.resource == "secrets" &&
resource.apiGroup == "" &&
resource has labelSelector &&
resource.labelSelector.containsAny([
{"key": "owner","operator": "=", "values": [principal.name]},
{"key": "owner","operator": "==", "values": [principal.name]},
{"key": "owner","operator": "in", "values": [principal.name]}])
};
---
apiVersion: v1
kind: ConfigMap
metadata:
name: test-config
labels:
owner: default
data:
key: value
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: service-manager
namespace: default
---
apiVersion: cedar.k8s.aws/v1alpha1
kind: Policy
metadata:
name: service-account-impersonate-example
spec:
content: |
// test-user can impersonate the service-manager service account in the default namespace
permit (
principal is k8s::User,
action in [k8s::Action::"impersonate"],
resource is k8s::ServiceAccount
) when {
principal.name == "test-user" &&
resource has namespace &&
resource.namespace == "default" &&
resource.name == "service-manager"
};
// SA named 'service-manager' can act on services in its own namespace
permit (
principal is k8s::ServiceAccount,
action,
resource is k8s::Resource
) when {
principal.name == "service-manager" && // no specific principal.namespace restriction
resource.resource == "services" &&
resource has namespace &&
resource.namespace == principal.namespace
};