tsandall · September 14, 2020 14:12
diff --git a/k8s_authz.rego b/k8s_authz.rego
 # Example authorization policy for kubernetes.
 #
 # Configure kube-apiserver with the following command line arguments:
 #
 # --authorization-mode=Webhook
 # --authorization-webhook-config-file=<path-to-kubeconfig-file>
 #
 # The kubeconfig file must locate OPA. For example:
 #
 #	clusters:
 #	- name: opa
 #	  cluster:
 #		server: http://localhost:8181/v0/data/io/k8s/authorize
 #	users:
 #	- name: apiserver
 #	  user:
 #		token: apiserver
 #	current-context: webhook
 #	contexts:
 #	- context:
 #		cluster: opa
 #		user: apiserver
 #	  name: webhook
 #
 # The webhook specifies an input document with the following structure:
 #
 #     {
 #       "apiVersion": "authorization.k8s.io/v1beta1",
 #       "kind": "SubjectAccessReview",
 #       "spec": {
 #         "resourceAttributes": {
 #           "namespace": "kittensandponies",
 #           "verb": "GET",
 #           "group": "group3",
 #           "resource": "pods"
 #           // "name": <value> for requests that identify a specific resource.
 #         },
 #         "user": "jane",
 #         "group": [
 #           "group1",
 #           "group2"
 #         ]
 #       }
 #     }
 package io.k8s

 # denies requests by default.
 default allow = false

 # grants read-only access on non-resource APIs for all users. These APIs are
 # required for discovery and client bootstrapping.
 allow {
    input.spec.nonResourceAttributes.verb = read_verbs[_]
 }


 # defines cluster-wide permissions for users.
 roles = {
    "system:anonymous": {
        "view",
    },
 }

 # defines namespace-wide permissions for users.
 namespace_roles = {
    "example": {
        "system:anonymous": {
            "edit",
        },
    },
 }

 # grants access to all resources for "admin" role.
 allow {
    user_role["admin"]
 }

 # grants read access to the "view" role.
 allow {
    user_role["view"]
    input.spec.resourceAttributes.verb = read_verbs[_]
 }

 # grants write access to the "edit" role.
 allow {
    user_role["edit"]
    input.spec.resourceAttributes.verb = write_verbs[_]
 }

 # grants "admin" role to to all system components.
 user_role["admin"] {
    startswith(input.spec.user, "system:")
    input.spec.user != "system:anonymous"
 }

 # grants cluster-wide roles for input user.
 user_role[role] {
    roles[input.spec.user][role]
 }

 # grants namespace roles for input user.
 user_role[role] {
    namespace_roles[input.spec.resourceAttributes.namespace][input.spec.user][role]
 }

 # defines set of read-only verbs.
 read_verbs = {"get", "list", "watch"}

 # defines set of write verbs.
 write_verbs = {"create", "update", "delete", "connect"}

 # defines SujectAccessReview object expected by Kubernetes webhook client.
 authorize = {
    "kind": "SubjectAccessReview",
    "apiVersion": "authorization.k8s.io/v1beta1",
    "status": {
       "allowed": allow,
    },
 }
	# Example authorization policy for kubernetes.
	#
	# Configure kube-apiserver with the following command line arguments:
	#
	# --authorization-mode=Webhook
	# --authorization-webhook-config-file=<path-to-kubeconfig-file>
	#
	# The kubeconfig file must locate OPA. For example:
	#
	# clusters:
	# - name: opa
	# cluster:
	# server: http://localhost:8181/v0/data/io/k8s/authorize
	# users:
	# - name: apiserver
	# user:
	# token: apiserver
	# current-context: webhook
	# contexts:
	# - context:
	# cluster: opa
	# user: apiserver
	# name: webhook
	#
	# The webhook specifies an input document with the following structure:
	#
	# {
	# "apiVersion": "authorization.k8s.io/v1beta1",
	# "kind": "SubjectAccessReview",
	# "spec": {
	# "resourceAttributes": {
	# "namespace": "kittensandponies",
	# "verb": "GET",
	# "group": "group3",
	# "resource": "pods"
	# // "name": <value> for requests that identify a specific resource.
	# },
	# "user": "jane",
	# "group": [
	# "group1",
	# "group2"
	# ]
	# }
	# }
	package io.k8s

	# denies requests by default.
	default allow = false

	# grants read-only access on non-resource APIs for all users. These APIs are
	# required for discovery and client bootstrapping.
	allow {
	input.spec.nonResourceAttributes.verb = read_verbs[_]
	}


	# defines cluster-wide permissions for users.
	roles = {
	"system:anonymous": {
	"view",
	},
	}

	# defines namespace-wide permissions for users.
	namespace_roles = {
	"example": {
	"system:anonymous": {
	"edit",
	},
	},
	}

	# grants access to all resources for "admin" role.
	allow {
	user_role["admin"]
	}

	# grants read access to the "view" role.
	allow {
	user_role["view"]
	input.spec.resourceAttributes.verb = read_verbs[_]
	}

	# grants write access to the "edit" role.
	allow {
	user_role["edit"]
	input.spec.resourceAttributes.verb = write_verbs[_]
	}

	# grants "admin" role to to all system components.
	user_role["admin"] {
	startswith(input.spec.user, "system:")
	input.spec.user != "system:anonymous"
	}

	# grants cluster-wide roles for input user.
	user_role[role] {
	roles[input.spec.user][role]
	}

	# grants namespace roles for input user.
	user_role[role] {
	namespace_roles[input.spec.resourceAttributes.namespace][input.spec.user][role]
	}

	# defines set of read-only verbs.
	read_verbs = {"get", "list", "watch"}

	# defines set of write verbs.
	write_verbs = {"create", "update", "delete", "connect"}

	# defines SujectAccessReview object expected by Kubernetes webhook client.
	authorize = {
	"kind": "SubjectAccessReview",
	"apiVersion": "authorization.k8s.io/v1beta1",
	"status": {
	"allowed": allow,
	},
	}