rbac-permissions-operator

command module
v0.0.0-...-62570a8 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 18, 2024 License: Apache-2.0 Imports: 24 Imported by: 0

README

RBAC Permissions Operator

Go Report Card codecov GoDoc License

Summary

The RBAC-Permissions-Operator was created for the Openshift Dedicated platform to manage various permissions (via k8s RBAC policies) to all the projects/namespaces within an OpenShift Dedicated cluster. The permissions must allow for cluster and namespace scope access and the ability to safe list and/or blocklist namespaces.

It contains the following components:

  • Namespace controller: watches for new namespaces and guarantees that the proper RoleBindings are assigned to them.
  • SubjectPermission controller: watches for subject permission changes and creates ClusterRoleBindings and RoleBindings as needed.

To avoid giving admin permissions to specific namespaces (eg. infra/cluster-admin related), two regex are implemented in the form of NamespacesAllowedRegex and NamespacesDeniedRegex. These will help us determine which namespaces should get the RoleBinding assignment.

Metrics

Testing, Locally (CRC)

To test a new version of the operator locally using CRC you need to:

  1. start CRC
  2. run make predeploy
  3. on a separate terminal run make deploy-local
  4. apply any valid CR and watch for log changes

Controllers

Namespace Controller

Watch for the creation of new Namespaces that passes through NamespacesAllowedRegex and NamespacesDeniedRegex. When discovered create RoleBindings in that namespace to the corresponding subject.

SubjectPermission Controller

The subjectpermission-controller is triggered by a new SubjectPermission CR or a change to an existing SubjectPermission CR. It is responsible for the creation of ClusterRoleBinding and Rolebinding. It looks at the subjectName and the clusterRoleName passed in by the SubjectPermission CR. If corresponding ClusterRoleBinding and/or RoleBinding do not exist then create them.

Custom Resources

SubjectPermission CR

The SubjectPermission CR holds the SubjectKind, SubjectName, clusterPermissions, and permissions needed to configure the rbac policies needed for any given subject. All configurations can be found at managed-cluster-config

apiVersion: managed.openshift.io/v1alpha1
kind: SubjectPermission
metadata:
  name: dedicated-admins
  namespace: openshift-rbac-permissions
spec:
  subjectKind: Group
  subjectName: dedicated-admins
  clusterPermissions:
    - dedicated-admins-cluster
  permissions:
    -
      clusterRoleName: dedicated-admins-project
      namespacesAllowedRegex: ".*"
      namespacesDeniedRegex: "(^kube-.*|^openshift.*|^ops-health-monitoring$|^management-infra$|^default$|^logging$|^sre-app-check$)"
    -
      clusterRoleName: admin
      namespacesAllowedRegex: ".*"
      namespacesDeniedRegex: "(^kube-.*|^openshift.*|^ops-health-monitoring$|^management-infra$|^default$|^logging$|^sre-app-check$)"

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Directories

Path Synopsis
api
v1alpha1
Package v1alpha1 contains API Schema definitions for the managed v1alpha1 API group +kubebuilder:object:generate=true +groupName=managed.openshift.io
 Package v1alpha1 contains API Schema definitions for the managed v1alpha1 API group +kubebuilder:object:generate=true +groupName=managed.openshift.io
controllers
namespace
subjectpermission
pkg
const/test
controllerutils
k8sutil
metrics
util/test/generated/mocks/client
Package client is a generated GoMock package.
 Package client is a generated GoMock package.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.