Torin Warwick (Sandall) tsandall
tsandall
/ Steps to run kubemark locally
Last active
June 11, 2016 19:31
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| - $KUBE_SRC below refers to the path of the kubernetes source code | |
| - commit 1cce15659750d90064882738425115ec547c1634 | |
| - build using $KUBE_SRC/hack/build-go | |
| - output is stored in $KUBE_SRC/_output/... | |
| - kubemark:latest image is built by running "docker build -t kubemark:latest ." inside $KUBE_SRC/cluster/images/kubemark | |
| - need to copy kubemark binary into $KUBE_SRC/cluster/images/kubemark | |
| - hollow-node.json is taken from template in $KUBE_SRC/test/kubemark/resources/ |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package httpapi.authz | |
| default allow = false | |
| # Allow users to get their own salaries. | |
| allow { | |
| input.method = "GET" | |
| input.path = ["finance", "salary", user] | |
| user = input.user | |
| } |
tsandall
/ manager_of.rego
Last active
May 12, 2017 17:05
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package httpapi.authz | |
| manager_of[employee] = manager { | |
| data.employees[employee].team = team_id | |
| data.teams[team_id].lead = manager | |
| } |
tsandall
/ ssh_authz.rego
Created
May 12, 2017 15:23
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package ssh.authz | |
| default allow = false | |
| # Allow access to any user that has the "admin" role. | |
| allow { | |
| data.roles["admin"][_] = input.user | |
| } | |
| # Allow access to any user who contributed to the code running on the host. |
tsandall
/ sudo_authz.rego
Last active
May 12, 2017 15:25
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package sudo.authz | |
| default allow = false | |
| # Allow sudo access to any user that has the "admin" role. | |
| allow { | |
| data.roles["admin"][_] = input.user | |
| } |
tsandall
/ puppet_authz.rego
Last active
May 12, 2017 15:24
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package puppet.authz | |
| default allow = false | |
| allow { not deny } | |
| deny { | |
| resource = catalog.resources[resource_index] | |
| resource.type = "File" | |
| startswith(resource.title, "/etc/infra") |
tsandall
/ k8s_authz.rego
Last active
September 14, 2020 14:12
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Example authorization policy for kubernetes. | |
| # | |
| # Configure kube-apiserver with the following command line arguments: | |
| # | |
| # --authorization-mode=Webhook | |
| # --authorization-webhook-config-file=<path-to-kubeconfig-file> | |
| # | |
| # The kubeconfig file must locate OPA. For example: | |
| # | |
| # clusters: |
tsandall
/ acmecorp_authz.rego
Created
June 3, 2017 16:13
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package acmecorp.api | |
| import data.acmecorp.roles | |
| default allow = false | |
| allow { | |
| input.method = “GET” | |
| input.path = [“accounts”, user] | |
| input.user = user |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| allow { | |
| risk_score = (input.num_deletes * 10) + input.num_adds | |
| risk_score < risk_limit[input.user.title] | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package smart_home.authz | |
| default allow = false | |
| allow = true { | |
| op = allowed_operations[_] | |
| input.method = op.method | |
| input.resource = op.resource | |
| } |
OlderNewer