aramase · October 23, 2024 18:13
diff --git a/rbac++.yaml b/rbac++.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: list-secrets
 rules:
 - apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
  - list
 ---
 # A controller can list all secrets of a particular type
 # Commands to run
 # 1. kubectl get secrets --field-selector=type=mytype --as=bob
 apiVersion: rbac.authorization.k8s.io/v1alpha1
 kind: ConditionalClusterRoleBinding
 metadata:
  name: list-secrets-of-type-field-selector
 clusterRoleName: list-secrets
 conditions:
 - expression: request.user == "bob"
 - expression: request.resourceAttributes.fieldSelector.requirements.exists(r, r.key == "type" && r.operator == "=" && sets.equivalent(r.values, ["mytype"]))
 ---
 # A controller can list all secrets with a particular label
 # Commands to run
 # 1. kubectl get secrets --selector=mylabel=myvalue --as=bob
 apiVersion: rbac.authorization.k8s.io/v1alpha1
 kind: ConditionalClusterRoleBinding
 metadata:
  name: list-secrets-of-label-selector
 clusterRoleName: list-secrets
 conditions:
 - expression: request.user == "bob"
 - expression: request.resourceAttributes.labelSelector.requirements.exists(r, r.key == "mylabel" && r.operator == "=" && sets.equivalent(r.values, ["myvalue"]))
 ---
 # Allow access based on namespace or name prefix
 # Commands to run
 # 1. kubectl get secrets --namespace=prod-1 --as=bob
 # 2. kubectl get secrets --namespace=prod-2 --as=bob
 apiVersion: rbac.authorization.k8s.io/v1alpha1
 kind: ConditionalClusterRoleBinding
 metadata:
  name: list-secrets-in-namespace
 clusterRoleName: list-secrets
 conditions:
 - expression: request.user == "bob"
 - expression: request.resourceAttributes.namespace.startsWith("prod-")
 ---
 # node can only list resources scheduled to it
 apiVersion: rbac.authorization.k8s.io/v1alpha1
 kind: ConditionalClusterRoleBinding
 metadata:
  name: list-resources-matching-node
 clusterRoleName: list-resources
 conditions:
 # determine it's a node by checking the prefix and asserting the name is not just the prefix
 - expression: request.user.startsWith("system:node:") && size(request.user) > size("system:node:")
 # it needs to be in system:nodes group
 - expression: request.groups.exists(g, g == "system:nodes")
 # now match the field selector to restrict to a specific node
 - expression: request.resourceAttributes.fieldSelector.requirements.exists(r, r.key == 'spec.nodeName' && r.operator == '=' && sets.equivalent(r.values, [request.user.substring(size('system:node:'))]))
	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRole
	metadata:
	name: list-secrets
	rules:
	- apiGroups:
	- ""
	resources:
	- secrets
	verbs:
	- get
	- list
	---
	# A controller can list all secrets of a particular type
	# Commands to run
	# 1. kubectl get secrets --field-selector=type=mytype --as=bob
	apiVersion: rbac.authorization.k8s.io/v1alpha1
	kind: ConditionalClusterRoleBinding
	metadata:
	name: list-secrets-of-type-field-selector
	clusterRoleName: list-secrets
	conditions:
	- expression: request.user == "bob"
	- expression: request.resourceAttributes.fieldSelector.requirements.exists(r, r.key == "type" && r.operator == "=" && sets.equivalent(r.values, ["mytype"]))
	---
	# A controller can list all secrets with a particular label
	# Commands to run
	# 1. kubectl get secrets --selector=mylabel=myvalue --as=bob
	apiVersion: rbac.authorization.k8s.io/v1alpha1
	kind: ConditionalClusterRoleBinding
	metadata:
	name: list-secrets-of-label-selector
	clusterRoleName: list-secrets
	conditions:
	- expression: request.user == "bob"
	- expression: request.resourceAttributes.labelSelector.requirements.exists(r, r.key == "mylabel" && r.operator == "=" && sets.equivalent(r.values, ["myvalue"]))
	---
	# Allow access based on namespace or name prefix
	# Commands to run
	# 1. kubectl get secrets --namespace=prod-1 --as=bob
	# 2. kubectl get secrets --namespace=prod-2 --as=bob
	apiVersion: rbac.authorization.k8s.io/v1alpha1
	kind: ConditionalClusterRoleBinding
	metadata:
	name: list-secrets-in-namespace
	clusterRoleName: list-secrets
	conditions:
	- expression: request.user == "bob"
	- expression: request.resourceAttributes.namespace.startsWith("prod-")
	---
	# node can only list resources scheduled to it
	apiVersion: rbac.authorization.k8s.io/v1alpha1
	kind: ConditionalClusterRoleBinding
	metadata:
	name: list-resources-matching-node
	clusterRoleName: list-resources
	conditions:
	# determine it's a node by checking the prefix and asserting the name is not just the prefix
	- expression: request.user.startsWith("system:node:") && size(request.user) > size("system:node:")
	# it needs to be in system:nodes group
	- expression: request.groups.exists(g, g == "system:nodes")
	# now match the field selector to restrict to a specific node
	- expression: request.resourceAttributes.fieldSelector.requirements.exists(r, r.key == 'spec.nodeName' && r.operator == '=' && sets.equivalent(r.values, [request.user.substring(size('system:node:'))]))