GithubHelp home page GithubHelp logo

global-localhost / rbac-permissions-operator Goto Github PK

View Code? Open in Web Editor NEW

This project forked from openshift/rbac-permissions-operator

0.0 0.0 2.0 8.05 MB

Operator to manage RBAC permissions for groups across subsets of namespaces

License: Apache License 2.0

Dockerfile 0.42% Shell 38.60% Go 51.35% Makefile 5.39% Python 4.23%

rbac-permissions-operator's Introduction

RBAC Permissions Operator

Summary

The RBAC-Permissions-Operator was created for the Openshift Dedicated platform to manage various permissions (via k8s RBAC policies) to all the projects/namespaces within an OpenShift Dedicated cluster. The permissions must allow for cluster and namespace scope access and the ability to safe list and/or blocklist namespaces.

It contains the following components:

  • Namespace controller: watches for new namespaces and guarantees that the proper RoleBindings are assigned to them.
  • SubjectPermission controller: watches for subject permission changes and creates ClusterRoleBindings and RoleBindings as needed.

To avoid giving admin permissions to specific namespaces (eg. infra/cluster-admin related), two regex are implemented in the form of NamespacesAllowedRegex and NamespacesDeniedRegex. These will help us determine which namespaces should get the RoleBinding assignment.

Metrics

Testing, Locally (CRC)

To test a new version of the operator locally using CRC you need to:

  1. start CRC
  2. run oc create namespace rbac-permissions-operator
  3. run oc project rbac-permissions-operator
  4. run oc apply -f deploy/crds/managed_v1alpha1_subjectpermission_crd.yaml
  5. run operator-sdk up local
  6. apply any valid CR and watch for log changes

Controllers

Namespace Controller

Watch for the creation of new Namespaces that passes through NamespacesAllowedRegex and NamespacesDeniedRegex. When discovered create RoleBindings in that namespace to the corresponding subject.

SubjectPermission Controller

The subjectpermission-controller is triggered by a new SubjectPermission CR or a change to an existing SubjectPermission CR. It is responsible for the creation of ClusterRoleBinding and Rolebinding. It looks at the subjectName and the clusterRoleName passed in by the SubjectPermission CR. If corresponding ClusterRoleBinding and/or RoleBinding do not exist then create them.

Custom Resources

SubjectPermission CR

The SubjectPermission CR holds the SubjectKind, SubjectName, clusterPermissions, and permissions needed to configure the rbac policies needed for any given subject. All configurations can be found at managed-cluster-config

apiVersion: managed.openshift.io/v1alpha1
kind: SubjectPermission
metadata:
  name: dedicated-admins
  namespace: openshift-rbac-permissions
spec:
  subjectKind: Group
  subjectName: dedicated-admins
  clusterPermissions:
    - dedicated-admins-cluster
  permissions:
    - 
      clusterRoleName: dedicated-admins-project
      namespacesAllowedRegex: ".*"
      namespacesDeniedRegex: "(^kube-.*|^openshift.*|^ops-health-monitoring$|^management-infra$|^default$|^logging$|^sre-app-check$)"
      allowFirst: true
    - 
      clusterRoleName: admin 
      namespacesAllowedRegex: ".*" 
      namespacesDeniedRegex: "(^kube-.*|^openshift.*|^ops-health-monitoring$|^management-infra$|^default$|^logging$|^sre-app-check$)" 
      allowFirst: true

rbac-permissions-operator's People

Contributors

openshift-merge-robot avatar fahlmant avatar sam-nguyen7 avatar 2uasimojo avatar jewzaam avatar lisa avatar cblecker avatar rogbas avatar jharrington22 avatar psav avatar thrasher-redhat avatar boranx avatar staebler avatar

Forkers

global19 global19-atlassian-net

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.