Skip to content
This repository has been archived by the owner on Jul 1, 2022. It is now read-only.

Latest commit

 

History

History
55 lines (52 loc) · 1.99 KB

rbacdefinitions.md

File metadata and controls

55 lines (52 loc) · 1.99 KB

RBAC Definitions

Just as Kubernetes Deployments make Pods much simpler to manage at scale, RBAC Definitions are designed to simplify the management of Role Bindings and Service Accounts at scale. RBAC Manager will create, update, or delete Cluster Role Bindings, Role Bindings, or Service Accounts that are referenced in an RBAC Definition. Here's a more complete example of what that could look like:

apiVersion: rbacmanager.reactiveops.io/v1beta1
kind: RBACDefinition
metadata:
  name: rbac-manager-users-example
rbacBindings:
  - name: cluster-admins
    subjects:
      - kind: User
        name: [email protected]
    clusterRoleBindings:
      - clusterRole: cluster-admin
  - name: web-developers
    subjects:
      - kind: User
        name: [email protected]
      - kind: User
        name: [email protected]
    roleBindings:
      - clusterRole: edit
        namespace: web
      - clusterRole: view
        namespace: api
  - name: ci-bot
    subjects:
      - kind: ServiceAccount
        name: ci-bot
        namespace: rbac-manager
    roleBindings:
      - clusterRole: edit
        namespaceSelector:
          matchLabels:
            ci: edit
      - clusterRole: admin
        namespaceSelector:
          matchExpressions:
            - key: app
              operator: In
              values:
                - web
                - queue

In the above example, RBAC Manager will create the following resources:

  • A Cluster Role Binding that gives Jane cluster-admin access
  • A Role Binding that gives Dave and Joe edit access in the web namespace
  • A Role Binding that gives Dave and Joe view access in the api namespace
  • A Service Account named ci-bot in the rbac-manager namespace
  • Role Binding(s) that grant the ci-bot Service Account edit access in all namespaces with ci=edit labels
  • Role Binding(s) that grant the ci-bot Service Account admin access in all namespaces with app=web or app=queue labels

There are more examples of RBAC Definitions in the examples directory of this repo.