Created
January 31, 2021 08:36
-
-
Save dev-korr/35da4ba0da0c4d79861a115499d2b9a7 to your computer and use it in GitHub Desktop.
configmap with acl policies for rundeck hosted on kubernetes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: v1 | |
| kind: ConfigMap | |
| metadata: | |
| name: acl-configmap | |
| namespace: rundeck | |
| labels: | |
| app: rundeck | |
| data: | |
| custom.aclpolicy: | | |
| description: Admin, all access for admin/SRE team - project context. | |
| context: | |
| project: '.*' # all projects | |
| for: | |
| resource: | |
| - allow: '*' # allow read/create all kinds | |
| adhoc: | |
| - allow: '*' # allow read/running/killing adhoc jobs | |
| job: | |
| - allow: '*' # allow read/write/delete/run/kill of all jobs | |
| node: | |
| - allow: '*' # allow read/run for all nodes | |
| by: | |
| group: admin | |
| --- | |
| description: Admin, all access for admin/SRE team - application context. | |
| context: | |
| application: 'rundeck' | |
| for: | |
| resource: | |
| - allow: '*' # allow create of projects | |
| project: | |
| - allow: '*' # allow view/admin of all projects | |
| project_acl: | |
| - allow: '*' # allow admin of all project-level ACL policies | |
| storage: | |
| - allow: '*' # allow read/create/update/delete for all /keys/* storage content | |
| by: | |
| group: admin | |
| --- | |
| description: Dev Application level access control, applies to viewing projects and reading system information. | |
| context: | |
| application: 'rundeck' | |
| for: | |
| resource: | |
| - equals: | |
| kind: project | |
| allow: [read] # allow read of projects | |
| - equals: | |
| kind: system | |
| allow: [read,enable_executions,disable_executions] # allow read of system info, enable/disable all executions | |
| - equals: | |
| kind: system_acl | |
| allow: [read] # allow read of system ACL files | |
| project: | |
| - match: | |
| name: '.*' | |
| allow: [read,import,export,configure,delete] # allow full access of all projects or use 'admin' | |
| project_acl: | |
| - match: | |
| name: '.*' | |
| allow: [read] # allow reading project-specific ACL files | |
| storage: | |
| - allow: [read,create,update] # allow access for storage content | |
| by: | |
| group: ['developers','operations'] | |
| --- | |
| description: Admin project level access control for Projects. | |
| context: | |
| project: '.*' # all projects | |
| for: | |
| resource: | |
| - equals: | |
| kind: job | |
| allow: [create] # allow create jobs | |
| - equals: | |
| kind: node | |
| allow: [read,create,update,refresh] # allow refresh node sources | |
| - equals: | |
| kind: event | |
| allow: [read,create] # allow read/create events | |
| adhoc: | |
| - allow: [read,run,runAs,kill,killAs] # allow running/killing adhoc jobs | |
| job: | |
| - allow: [create,read,update,run,runAs,kill,killAs] # allow create/read/write/run/kill of all jobs | |
| node: | |
| - allow: [read,run] # allow read/run for nodes | |
| by: | |
| group: ['developers','operations'] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment