-
-
Save avoidik/5dedade978a5aa246bfffbda5782f44c to your computer and use it in GitHub Desktop.
authn-k8s
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| - !policy | |
| id: conjur/authn-k8s/minikube/default | |
| owner: !group /k8s_admin | |
| body: | |
| - !webservice | |
| annotations: | |
| kubernetes/namespace: default | |
| - !host client | |
| - !permit | |
| resource: !webservice | |
| privilege: [ read, execute ] | |
| roles: | |
| - !host client | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| - !policy | |
| id: conjur/authn-k8s/minikube/default | |
| owner: !group /k8s_admin | |
| body: | |
| - !policy | |
| id: apps | |
| annotations: | |
| description: Apps and services in Kubernetes "default" namespace. | |
| body: | |
| - &hosts | |
| - !host webapp | |
| # Make these hosts visible to the devops group, so that they can add to their layers. | |
| - !permit | |
| resources: *hosts | |
| privilege: read | |
| roles: !group /devops | |
| - !permit | |
| resources: *hosts | |
| privilege: [ read, authenticate ] | |
| roles: | |
| - !host /conjur/authn-k8s/minikube/default/client | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash -e | |
| conjur policy load \ | |
| https://gist.githubusercontent.com/kgilpin/d2678650f9f3052ab3d243d8d80d989f/raw/users.yml | |
| admin_api_key=$(conjur user rotate_api_key) | |
| # ted is k8s_admin | |
| ted_api_key=$(conjur user rotate_api_key -u ted) | |
| # bob is devops | |
| bob_api_key=$(conjur user rotate_api_key -u bob) | |
| # alice is db_admin | |
| alice_api_key=$(conjur user rotate_api_key -u alice) | |
| conjur authn logout | |
| export CONJUR_AUTHN_LOGIN=ted | |
| export CONJUR_AUTHN_API_KEY=$ted_api_key | |
| conjur policy load \ | |
| https://gist.githubusercontent.com/kgilpin/d2678650f9f3052ab3d243d8d80d989f/raw/authn_k8s.yml | |
| conjur policy load \ | |
| https://gist.githubusercontent.com/kgilpin/d2678650f9f3052ab3d243d8d80d989f/raw/k8s_apps.yml | |
| export CONJUR_AUTHN_LOGIN=bob | |
| export CONJUR_AUTHN_API_KEY=$bob_api_key | |
| conjur policy load \ | |
| https://gist.githubusercontent.com/kgilpin/d2678650f9f3052ab3d243d8d80d989f/raw/webapp.yml | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| - !group k8s_admin | |
| - !group devops | |
| - !group db_admin | |
| - !user ted | |
| - !grant | |
| role: !group k8s_admin | |
| member: !user ted | |
| - !user bob | |
| - !grant | |
| role: !group devops | |
| member: !user bob | |
| - !user alice | |
| - !grant | |
| role: !group db_admin | |
| member: !user alice | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| - !policy | |
| id: webapp | |
| owner: !group /devops | |
| body: | |
| - !layer | |
| - !grant | |
| role: !layer | |
| members: | |
| - !host /conjur/authn-k8s/minikube/default/apps/webapp | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment